Exclusive 


THE  STATE  OF 
INFORMATION 

SECURITY 

2003 

A  comprehensive 
examination  of 
global  security 
practices  with  7,500 
executives  from 
54  countries 

»  Practices 
that  Produce 
Confidence 

»  Spending 
Benchmarks  by 
Industry 

»  The  Global  View 

Begins  on  Page  79 


Your  budget’s  been  cut 
The  work’s  been  outsourced 


NEW  IN  CIO 

The  Exchange 

This  month  our  online 
CIO  community 
discusses  Portfolio 
Management  Best 
Practices... and  more. 


Page  52 


OCTOBER  15,  2003  •  $9.00  CIO.COm 


e  e-business  logo  and  e-business  on  demand  are  registered  trademarks  or  trademarks  of  International  Business  Machines  Corporation  in  the  United  States 
other  countries.  Study  conducted  by  AIS  and  PricewaterhouseCoopers.  Statistic  courtesy  of  The  Radicati  Group,  Inc.  ©  2003  IBM  Corp.  All  rights  reserved. 


This  is  not  a  drill.  A  recent  study  identified  financial  statistics,  R&D 
data,  strategic  plans  and  customer  lists  as  the  top  information  items  stolen 
from  companies.  Why?  Because  the  more  this  information  empowers 
you,  the  more  valuable  it  becomes.  Unprotected,  it  makes  a  juicy  target. 

But  even  random  attacks  can  cost  you.  The  Radicati  Group  says  malicious 
code  will  cause  over  $57B  in  economic  damage  by  2006.  The  answer? 

Security  solutions  that  work  inside,  outside  and  end  to  end.  “Can  I  see  some  ID  please? 


A  guide  to  the  on  demand  world:  Security 


How  to  tell  anyone 
anything  without  telling 
everyone  everything. 

It’s  a  tightrope.  And  as  an  on  demand  business,  you’re 
walking  it.  On  one  hand  you  need  to  be  responsive,  flexible 
and  welcoming.  On  the  other  you  need  to  protect  the  vital 
data  that  makes  such  flexibility  and  responsiveness  possible. 
Accessible  and  user-friendly,  but  still  secure.  Open  to  anyone. 
But  not  everyone. 


Countless  suppliers,  vendors  and  partners  are  connected  to  your  systems. 
Some  on  the  periphery,  some  so  tightly  integrated  that  they  have  direct  access 
to  your  processes.  That  gives  you  the  power  to  think  faster,  share  more  easily 
and  react  together  as  one.  As  an  on  demand  business,  it’s  your  point  of  strength. 
A  comprehensive  security  strategy  can  stop  it  from  becoming  a  point  of  pain. 


Can  you  see  it?  It’s  an  on  demand  world.  And  you  don’t  have  time 
to  wrestle  with  multiple  security  systems.  Think  all-in-one.  IBM’s 
Security  Event  Management  solution  can  centrally  manage  incidents, 
proactively  address  vulnerabilities,  protect  assets  and  ensure  continuity. 
Backed  by  IBM’s  thousands  of  industry  experts  and  technology 
specialists,  it  protects  the  bank,  without  breaking  it.  On  demand  security. 
Get  there  with  @  business  on  demand™ 


- 


As  of  today,  security  is  not  just  about  what  you  can 


K\  McAfee 

SECURITY 


Start  with  Intrusion  Prevention  Solutions  from  McAfee  Security®  and  dis¬ 
cover  how  to  go  beyond  merely  detecting  threats  to  preventing  them  altogether. 
With  McAfee®  System  Protection  and  Network  Protection  Solutions,  your  business 
is  completely  protected — from  the  core  to  the  edge  of  your  network,  including 
servers  and  desktops. 

It's  about  what  you  can 


Start  building  productivity  faster.  Knowing  your  network  and  systems  are 
safe  from  both  known  and  unknown  threats,  you'll  be  free  to  focus  on  bigger 
picture  issues,  like  maximizing  the  ROI  of  your  technology  investment. 

Start  saying  yes  to  users  more.  Users  want  full  Internet  access,  they  want 
laptops,  they  want  PDAs,  they  want  wireless,  and  they  don't  want  to  hear  about 
how  security  concerns  outweigh  their  needs.  Now  they  don't  have  to.  Because 
with  McAfee  Security  you  can  start  giving  them  the  technologies  they  need 
without  giving  up  the  security  your  enterprise  demands. 

Start  growing  securely.  When  you're  secure  you  can  start  thinking  more 
about  how  ideas  spread  and  less  about  how  network  threats  spread.  You  can 
start  expanding  what  your  network  can  do,  not  simply  reducing  what  hackers 
can  do.  You  can  start  chasing  what  you're  after,  not  what's  after  you. 

Start  today  at  start.mcafeesecurity.com 


Network  Associates" 


Network  Associates  and  McAfee  Security  are  registered  trademarks  or  trademarks  of  Network  Associates,  Inc.  and/or  its  affiliates  in  the  US 
and/or  other  countries.  All  other  registered  and  unregistered  trademarks  herein  are  the  sole  property  of  their  respective  owners.  ©  2003 
Networks  Associates  Technology,  Inc.  All  Rights  Reserved. 


VOL.  17  •  NO.  2  •  OCTOBER  15,  2003 


Cover  Story 

THE  CIO  ROLE  I  66 

The  Incredible 
Shrinking  CIO 

Their  budgets  have  been  cut,  their  work’s  been  outsourced, 
their  staff’s  been  downsized,  and  they’ve  been  pushed  off  the 
executive  team.  Their  status  within  the  enterprise  has  suffered. 
That’s  dumb.  And  for  CIOs,  not  fighting  back  would  be 
dumber.  By  Stephanie  Overby 


COVER  PHOTO  BY  STEPHEN  WEBSTER 


Features 


SECURITY 

The  State  of  Information  Security  2003  I  79 

“The  State  of  IT  Security  2003”  survey  covered  six  continents, 

54  countries  and  included  more  than  7,500  respondents.  What 
emerged  is  a  portrait  of  a  new  discipline  taking  baby  steps  toward 
defining  norms  and  developing  best  practices.  By  Scott  Berinato 


Tom  King,  CISC  of  Lehman 
Brothers  Holdings,  says  ID 
management  has  a  "huge  ROI. 
It’s  silly  not  to  do  it.”  But,  he 
and  others  caution,  you'll  need 
a  lot  of  patience.  Three  years 
into  his  own  rollout,  King  is 
still  far  from  done.  “I  don’t  see 
an  end  to  it,"  he  says. 


DATA  MANAGEMENT 
Identity  Crisis  I  94 

Identity  management  projects  promise  big  returns,  but  be 
prepared  for  long,  complex  implementations. 

By  Ben  Worth en 

STORAGE 

Storage  Essentials  !  105 

For  many  companies,  storage  has  been  an  out  of  sight,  out  of 
mind  thing.  But  efficiencies  and  cost  savings  abound  for  CIOs 
willing  to  take  the  necessary  steps  toward  a  rational  storage  plan. 
By  Todd  Datz 

CASE  FILES  I  VALUE  SYSTEMS 
Project  Triage  I  115 

Rapid  growth  forced  the  Visiting  Nurse  Service  of  New  York  to 
develop  a  customized  value  methodology  that  has  helped  bring 
projects  and  goals  into  focus. 

By  Lafe  Low 

MORE  ►►► 


The  right  management  can  increase 

the  storage  capacity  of  your  existing  infrastructure. 

BrightStor  Storage  Management  Software 

More  hardware  can't  solve  increasingly  complex  data  storage  problems.  That's  why  BrightStor  storage  management 
software  has  a  full  suite  of  products  to  manage  every  aspect  of  storage,  from  maximizing  capacity  to  easy  data  access. 
The  result  is  lower  cost  of  ownership  and  higher  ROI.  BrightStor  is  also  seamlessly  integrated  and  automated,  so  you 
can  focus  on  business,  not  details.  To  start  making  the  most  of  your  IT  storage  environment,  go  to  ca.com/storage. 


Columns 


TOTAL  LEADERSHIP 
The  Citizen  CIO  I  56 

What  you  can  do  for  your  country. 

By  Christopher  Hoenig 

MAKING  I.T.  WORK 
Lies,  Damned  Lies 
and  Requirements  I  60 

The  road  to  applications  development  hell 
is  paved  with  rigid  code  requirements. 

By  Michael  Schrage 

REALITY  BYTES 
Who’s  the  Boss?  I  122 

CIOs  need  to  learn  to  tailor  messages  to 
the  decision-makers  they’re  addressing. 

By  Megan  Santosus 

CAREER  COUNSEL 
How  to  Stand  Out 
in  the  Crowd  I  126 

When  being  different  is  good. 

By  Beverly  Lieberman,  Gerry  McNamara 
and  Mark  Polansky 

FINE  PRINT 

The  Copyright  Cuffs  I  134 

Why  we  should  care  who  gets  the 
merchandising  deal  from  a  movie  or 
the  song  tie-in  on  a  variety  show. 

By  Jonathan  Zittrain 

Sections 

TRENDLINES  I  36 

Next  time  the  lights  go  out;  Virus  attacks; 
Amazon.com,  software  vendor;  A  CIO’s 
journey  to  CEO.  And  more 


NEW  in  CIO 

THE  EXCHANGE  I  52 

Compiled  by  Martha  Heller 

Portfolio 

Management 

Our  newest  column,  compiled  by 
Martha  Heller,  director  of  the  CIO 
Best  Practice  Exchange,  takes  on  the 
nagging  question  that  lurks  within  the 
consciousness  of  most  CIOs:  How  do 
I  know  I’m  working  on  the  right  projects? 


WASHINGTON  WATCH  I  40 

New  warning  system  taps  security 
contractors  for  attack  data. 

PLUS:  Congressman  wants  companies 
to  report  cyberdefense  steps. 

OFF  THE  SHELF  I  46 

The  Innovator’s  Solution  and  The  Art  of 
Happiness  at  Work.  CIO  Best-Sellers. 

ESSENTIAL  TECHNOLOGY  I  146 
Betting  on  BTO 

Business  Transformation  Outsourcing 
promises  technical  innovation — if  you  set 
expectations  properly  and  can  stomach 
the  risk.  By  David  L.  Margulius 

UNDER  DEVELOPMENT  I  152 

A  Xerox  device  aims  to  move  light  beams 
to  route  traffic  around  a  network. 

PUNDIT  I  154 

Roadside  wireless  options  abound — even 
at  McDonald’s — but  can  you  let  users  take 
advantage  and  still  keep  your  systems  safe? 


In  Every  Issue 

FROM  THE  EDITOR 
Dumb  and  Dumber  I  12 

The  CIO  role  is  in  real  danger  of  being 
dumbed  down,  diminished  or  ditched. 

By  Richard  Pastore 

INBOX  I  16 

Reader  feedback 

WHAT  WE  COVER, 

WHO  TO  CONTACT  I  30 

CIO  editorial  contacts  sorted  by  industry, 
and  business  and  technology  areas. 

BOARD  OF  ADVISERS  I  33 

When  we  don’t  know,  this  is  who  we  ask. 

INDEX  I  158 

EXECUTIVE  SUMMARY  I  160 

Abstracts  of  all  the  feature  stories  found 
in  this  issue. 


O 


CIO  OCTOBER  15,  2003  •  www.cio.com 


1  wireless  vendor  + 1  wireline  vendor  + 1  problem  =  multiple  places  to  place  blame.  That's  when  problems 
can  really  multiply.  And  that's  time  for  Sprint.  Sprint  built  its  wireline/wireless  network  from  the  ground  up. 
Designed  it  specifically  for  greater  reliability  and  security.  We  stand  behind  it.  And  our  industry-leading 
SLAs  back  it  up.  Let  us  show  you  how  end-to-end  accountability  works.  Especially  if  you  have  a  network 
that  doesn't.  It's  time  for  Sprint.  Go  to  sprintbiz.com/time,  or  call  1 866  629-5023. 


Sprint 


One  Sprint.  Many  Solutions.” 


Voice/Data  PCS  Wireless  Internet  Services  E-Business  Solutions  Managed  Services 


INTERACTIVE 

>features 

from  October  15  to  October  31 


Our  Daily  Web 

MONDAY  Tech  Tact 

Technology  Editor  Christopher 
Lindquist  covers  what’s  coming. 


ASK  THE  SOURCE 


TUESDAY  Quick  Poll 


How  Much  Identity 
Management 
Is  Too  Much? 

As  Lehman  Brothers  Holdings’  CISO, 
Tom  King  has  made  some  tough 
decisions  about  identity  manage¬ 
ment  programs.  Read  Identity  Crisis 
on  Page  94  to  get  the  insight  of  his 
experience.  Then  pose  your  ques¬ 
tions  or  share  your  identity  manage¬ 
ment  tales  with  King  through  Oct.  31. 
Go  to  www.cio.com/ask, 

LEARN  MORE 

A  Storage  Smorgasbord 

Storage  Essentials,  Page  105,  gives  you 
the  latest  in  trends  and  approaches  to 
the  knotty  problem  of  data  storage.  For  a 
broader  overview,  including  metrics  and 
links  to  other  storage  stories,  see  the  CIO 
Executive  Summary  on  data  storage  at 
www.cio.com/printlinks. 


ADD  A  COMMENT 

Discuss  Amongst  Yourselves 

Are  you  being  buffeted  by  the  role  changes  described  in  The  Incredible  Shrinking  CIO 


Read  what  CIOs  think  about 
current  IT  issues. 

WEDNESDAY  Metrics 

Web  Writer  Jon  Surmacz  makes 
sense  of  the  numbers. 

THURSDAY 
Sound  Off 

Web  Editorial 
Director  Art 
Jahnke  opines  on 
ethical  dilemmas. 

FRIDAY  The  Big  Picture 

Charts  and  graphs  worth 
1,000  words. 


f  Online  Exclusives 

Security— A  World  View 


I 

»  You  can  read  The  State  of 
Information  Security  2003  on 

Page  79.  And  for  the  results  of 
our  global  security  study  in  an 
interactive,  visual  format,  go  to 

www2xio.com/research. 


Methodology— A  Quick  View 


(Page  66)?  Wondering  what  to  do  about  it?  To  ask  your  fellow  CIOs  for  advice  or  share 
your  own,  go  to  the  Add  a  Comment  box  at  the  bottom  of  the  online  version  of  this  article. 


It  Started  on  the  Web 

Our  new  monthly  column  featuring  members  of  the  CIO  Best  Practice  Exchange  debuts  in  this 
issue  (see  The  Exchange,  Page  52).  To  interact  directly  with  the  CIOs  you  find  in  these  pages, 
join  our  members-only  online  forum.  Apply  for  membership  at  exchange.cio.com. 


»The  Visiting  Nurse  Service  of 
New  York’s  process  for  selecting 
IT  projects  is  outlined  in  the 
value  case  study  Project  Triage 
(Page  115).  View  that  process  in  a 
nutshell  with  the  VNS’s  valuation 
flowchart.  Ideal  for  sharing  with 
your  colleagues.  Find  the  chart  at 
www.cio.com/printlinks. 


8 


CIO  OCTOBER  15,  2003 


www.cio.com 


PHOTO  LEFT  BY  STEVEN  VOTE 


nexhra 


Finally,  a  company  that  talks  big  and 
works  bigger.  A  company  that  talks  ROI 
and  actually  delivers.  A  company  that 
provides  real  business  value  you  can 
measure.  A  network  solutions  and 
services  provider  called  NextiraOne. 

At  NextiraOne,  we  bring  clarity  to  your 
complex  communications  networks. 
Planning,  designing,  implementing, 
supporting  and  managing.  For  voice, 
data  and  converged  infrastructures. 

In  the  United  States  or  around  the 
world.  You  name  it,  we  do  it  -  with 
world-class  results. 

www.NextiraOne.com  (888)  888-1055 


It  ain’t  braggin’ 
if  you  can  do  it. 


INTRODUCE 
SALES  &  MARKETING 

TO  PRODUCTION 

WITHOUT  HAVING 

TO  WAIT  FOR  THE 

COMPANY  PICNIC. 


Advertisement 


To  succeed  today,  your  enterprise  has  to  undergo  a 
rapid  transformation  from  a  series  of  functionally  driven 
silos  connected  by  a  common  mailroom  to  a  whole  whose 
sum  is  greater,  and  more  profitable,  than  its  parts. 

It’s  called  integration.  And  it’s  more  than  just  the 
latest  trend;  it’s  the  key  to  survival  in  an  increasingly 
unpredictable  economic  climate. 

The  payoff:  increased  revenue,  less  cost,  greater  efficiency, 
and  more-satisfied  customers. 

CBM,  SAY  HELLO  TO  SCM. 

The  idea  of  integrating  SCM  and  CRM  is,  quite  simply, 
a  “no-brainer.”  It  quickly  results  in  maximum  value  across 
your  entire  supply-demand  chain.  In  fact,  only  when  the 
two  solutions  are  integrated  is  either  being  used  to  its  fullest 
money-making  potential. 

With  integration,  your  back  office  can  quickly  deliver 
on  front-end  promises,  satisfying  even  your  most  difficult- 
to-please  customers. 

You’ll  gain  the  ability  to  accurately  prioritize.  Valuable 
resources  will  no  longer  be  spent  on  unprofitable  customers 
or  products. 

Timely  customer  information  flowing  across  your 
supply  chain  will  enable  you  to  optimize  product  and 
service  development. 

You’ll  be  able  to  more  accurately  forecast  demand, 
reducing  costly  stock-outs  and  overstocks. 

Your  sales  reps,  armed  with  inventory  data,  delivery 
schedules,  and  product  insight,  will  become  considerably 
more  productive. 

And  that’s  just  the  tip  of  a  very  profitable  iceberg. 

Of  course,  the  concept  of  integration  is  one  thing. 
Accomplishing  it  is  quite  another. 


TECHNOLOGY  HAS  FINALLY  CAUGHT  UP  TO  VISION. 

For  over  a  decade,  integration  has  been  the  Holy  Grail. 
Unfortunately,  companies  had  to  spend  prohibitive 
amounts  of  money  and  time  building  custom  interfaces 
that  might  make  SCM  and  CRM  work  together. 

But  now  there’s  a  new  technology  platform  that  lets 
you  get  it  done  more  easily  than  ever  before. 

It’s  called  SAP  NetWeaver? 

SAP  NetWeaver  is  a  comprehensive,  open  technology 
platform  that  seamlessly  connects  your  people,  information, 
and  business  processes.  This  unique  “process  approach” 
allows  all  your  departments  to  share  information  in  real 
time.  Delays,  miscommunication  and  waste  are  minimized. 
Profitability  is  increased  —  often  dramatically. 

And  since  you  can  quickly  snap  a  large  variety  of 
your  current  applications,  both  SAP  and  non-SAP,  onto 
SAP  NetWeaver,  time  to  ROI  is  significantly  reduced. 

HEAD  THE  EYE-OPENING  STORY. 

GET  YOUR  FREE  WHITE  PAPER. 

In  short,  integrating  SCM  and  CRM  allows  you 
to  precisely  identify  the  demand  trends  of  your  most 
profitable  customers  and  respond  with  the  product  that 
best  meets  their  needs  using  the  most  efficient  mix  of 
materials,  services  and  suppliers. 

Get  all  the  details  —  the  benefits,  the  insights,  the 
results  —  in  a  special  new  white  paper,  “Supply  Chain 
and  Demand  Chain  Integration:  The  Pathway  to  Profit  and 
Competitive  Advantage’.’ 

It’s  an  in-depth  exploration  of  how  integration  can  pro¬ 
vide  your  business  with  a  competitive  advantage  in  product 
leadership,  operational  efficiency,  and  customer  intimacy. 


Get  your  free  copy  at  sap.com/integration 


THE  BEST-RUN  BUSINESSES  RUN  SAP 


GET  YOUR  FREE  WHITE  PAPER  ON  SUPPLY  CHAIN  AND  DEMAND 
CHAIN  INTEGRATION.  GO  TO  SAP.COM/INTEGRATION 


I 


£ 


* 


From  the  Editor 

■ 


£ 


Dumb  and  Dumber 


Check  out  the  new  monthly 
sections  debuting  in  this 
issue:  The  Exchange 
(Page  52)  and  Essential 
Technology  (Page  146).  Let 
us  know  what  you  think  of 
them  at  letters@cio.com. 


A  CIO  WHO  HAS  SERVED  for  years  on  C/O’ s 
editorial  advisory  board  broke  the  bad  news  to  us 
this  summer  in  a  terse  e-mail:  “My  company  has 
decided  to  take  a  different  approach  toward  IT. 
The  new  approach  unfortunately  does  not  include 
the  CIO  position.  They  are  planning  on  outsourc¬ 
ing  IT  operations.” 

In  these  days,  with  so  many  companies  caught  in 
the  corporate  convulsion  of  reducing  spending  at 
all  costs,  wholesale  outsourcing  is  becoming  too 
tempting  for  companies  to  resist.  Consequently, 
CEOs  and  CFOs  are  questioning  why  they  need  a 
pricey  CIO  position  heading  a  business  function 
that’s  been  effectively  outplaced.  Get  rid  of  the  func¬ 
tion,  and  ditch  the  function  head.  Give  the  vendor 
contracts  to  the  CFO  to  manage,  or  install  a  rela¬ 
tively  cheap  IT  project  manager  to  manage  vendors. 
End  of  problem.  End  of  expense.  End  of  story. 

What  we’re  seeing,  I  think,  is  another  iteration  of 
a  cyclical  phenomenon  where  enterprises  lose  faith 
in  IT  as  a  strategic  entity,  and  therefore  assume  they 
can  do  without  a  strategic  IT  leader.  The  CIO  role 
is  in  real  danger  of  being  dumbed  down,  dimin¬ 
ished  or  ditched.  You  can  read  about  why  and  how 
this  is  happening  in  Stephanie  Overby’s  feature  “The 
Incredible  Shrinking  CIO,”  on  Page  66. 

The  fact  is  no  sane  enterprise  should  turn  over 


responsibility  for  the  strategic  exploitation  of  infor¬ 
mation  technologies  to  a  vendor.  And  that’s  what 
an  outsourcer  is,  after  all — a  company  that  wants 
to  make  money  from  your  organization  and  as 
many  other  customers  as  possible. 

But  there’s  no  denying  that  the  massive  migra¬ 
tion  of  IT  jobs  offshore  has  and  will  continue  to 
dramatically  downsize  the  CIO’s  domestically 
based  staff.  What  CEOs  and  their  boards  need  to 
understand  is  that  the  location  and  size  of  an 
IT  workforce  doesn’t  determine  the  need  for  a 
highly  skilled  CIO.  Globalization  is  here  to  stay; 
its  expansion  is  inevitable.  In  that  context,  it  makes 
perfect  sense  that  CIOs  should  command  a  global 
IT  workforce,  even  if  some  or  most  of  that  work¬ 
force  is  employed  by  an  outsourcer.  As  Paul  Saffo, 
director  at  the  Institute  for  the  Future,  said  at  the 
CIO  100  Symposium  in  August,  IT  staff  will  come 
from  everywhere,  and  so  will  the  CIO. 

Enterprises  that  think  they  can  do  without  a 
strategic  CIO  are  kidding  themselves.  At  a  time 
like  this,  when  we  seem  finally  ready  to  move 
slowly  but  steadily  toward  economic  recovery,  the 
worst  thing  in  the  world  an  organization  can  do 
would  be  to  eviscerate  the  position  and  cede  any 
chance  of  using  IT  for  a  competitive  jump  start 
and  sustainable  advantage. 


Richard  Pastore,  Deputy  Editor 
pastor e@cio.  com 


OCTOBER  15,  2003  • 


;  i!  CIO 


www.cio.com 


PHOTO  BY  JASON  GROW/SABA 


Know  what  it  costs  to  create,  produce  and  manage  all  your 
company’s  documents?  Know  how  to  cut  that  cost  by  up  to  40%? 

There’s  a  new  way  to  look  at  it. 


The  Xerox  Office  Document  Assessment  has  the  answers.  It 
tells  you  what  you  spend  and  how  to  spend  less  on  printing, 
faxing,  copying,  scanning,  and  archiving  paper  and  electronic 
documents.  Working  with  a  Xerox  team  and  using  Six  Sigma 
methodology,  you  get  a  comprehensive  analysis  of  the  total  costs 
associated  with  all  your  document  processes.  And  you  get  the 

Learn  more:  www.xerox.com/learn 


tools  to  track  and  control  these  costs  over  time.  This  analysis 
has  helped  leading  companies  cut  costs  by  up  to  40%  and 
improve  the  speed  at  whicli  work  gets  done.  With  over  40  years 
of  research  and  experience  improving  document  processes, 
Xerox  can  help  you  eliminate  hidden  costs  while  implementing 
ideas  that  can  unleash  the  full  potential  of  your  organization. 

The  Document  Company 

XEROX. 


©  2003  XEROX  CORPORATION.  All  rights  reserved.  XEROX? The  Document  Company?  and There's  a  new  way  to  look  at  it  are  trademarks  of  XEROX  CORPORATION 


Dr.  Jim  Metzler 

Dr.  Jim  Metzler  is  widely  recognized  as  an  authority 
on  both  network  technology  and  its  business  applica¬ 
tions.  In  over  28  years  of  professional  experience, 

Jim  has  assisted  tens  of  vendors  refine  their  product 
strategies  and  simultaneously  helped  over  a  hundred 
enterprises  evolve  their  network  infrastructure. 

Managed 

>  What  is  a  managed  security  services  provider 
(MSSP)? 

An  MSSP  is  a  company  in  the  business  of  providing  electronic 
security  services  on  a  third-party  basis.  (MSSPs  such  as  Unisys 
are  preparing  to  support  physical  security  such  as  implemen¬ 
tations  of  Lenel  access  control  systems  or  IP-enabled  video 
surveillance  cameras  that  might  be  remotely  monitored  from 
a  security  operations  center.)  There  are  a  wide  range  of 
MSSPs — from  companies  that  provide  one  or  two  very  spe¬ 
cific  security  services  to  companies  that  provide  a  large  num¬ 
ber  of  security  services. 

“The  principle  benefit  of 
using  an  MSSP  is  that  it 
gives  a  company  access 
to  skilled  resources.” 

>  What  are  the  benefits  of  outsourcing  your 
enterprise  security  infrastructure  to  an 
MSSP? 

Driven  either  by  concerns  about  their  own  financial  vulnera¬ 
bility  or  possibly  by  government  regulation,  security  is  one  of 
the  top  issues  in  virtually  every  IT  organization.  Moreover, 
security  is  also  very  visible — if  a  company  has  a  security 
breach,  it  is  often  well-publicized  both  within  and  without  the 
company.  The  principle  benefit  of  using  an  MSSP  is  that  it  gives 
a  company  access  to  skilled  resources. 

>  Does  a  company  relinquish  control  of 
security  services  when  using  an  MSSP? 

That  is  the  key  risk  associated  with  any  sort  of  outsourcing 
relationship.  Given  that,  it  is  important  to  turn  this  concern 
into  the  key  criteria  that  a  company  uses  when  choosing  what 
they  will  outsource,  as  well  as  to  whom  they  will  outsource. 

In  particular,  when  a  company  is  considering  using  an  MSSP, 
the  company  needs  to  ensure  that  the  MSSP  has  processes 
that  are  flexible  enough  to  ensure  that  the  company  is  not  giv¬ 
ing  up  an  unacceptable  amount  of  control. 

>  Which  strategic  security  functions  should 
remain  in-house  and  which  can  be  out¬ 
sourced? 

There  is  one  function  that  absolutely  must  be  outsourced,  and 
that  is  doing  a  security  audit.  Each  company  must  have  regu- 


UNISYS 


PRESENTS 


A  few  minutes  with  Dr.  Jim  Metzler, 
Vice  President, 

Ashton,  Metzler  &  Associates 


lar  security  audits  performed.  The  MSSP  that  is  doing  the  audit 
must  of  course  have  expertise  in  this  area  and  must  also  be 
clear  of  conflict  of  interest — it  cannot  be  an  organization  that 
is  providing  any  other  security  functionality  for  the  company. 

As  a  general  rule,  companies  that  fit  the  following  criteria 
should  outsource  functions: 

•  The  company  is  not  good  at  performing  that  functionality, 
nor  do  they  foresee  developing  the  requisite  expertise; 

•  The  company  feels  confident  that  they  have  found  an  MSSP 
with  the  expertise; 

•  The  company  feels  confident  that  it  can  maintain  a  high  level 
of  control  while  using  the  MSSP. 

>  What  should  a  company  look  for  in  a  poten¬ 
tial  MSSP? 

A  good  security  approach  should  embrace  a  multilayered 
security  infrastructure  that  requires  multiple  technologies, 
process  and  procedures  to  be  breached.  In  evaluating  secu¬ 
rity  outsourcing,  an  organization  should  make  sure  that  they 
do  the  following: 

•  Obtain  clear  and  concise  Service  Level  Agreements 

•  Clearly  understand  the  roles  and  responsibilities  of  both  the 
outsourcing  provider  and  the  in-house  staff. 

•  Come  to  clear  agreement  on  security  incident  severity  lev¬ 
els  and  the  desired  actions  should  an  incident  occur. 

•  Look  for  up-to-date  accreditation  or  certifications  for  the 
personnel  who  work  for  the  MSSP. 

•  Examine  what  security  tools  are  used  by  the  MSSP,  particu¬ 
larly  any  tools  that  the  MSSP  might  have  developed  that  pro¬ 
vide  important  functionality  that  the  company  currently  lacks. 

•  Are  the  MSSP’s  processes  thorough  and  detailed  enough  to 
show  a  thought-out,  well-documented  approach  to  providing 
security? 

•  Choose  an  MSSP  that  has  a  strong,  demonstrable  track 
record  of  providing  the  security  services  of  interest  to  a  wide 
range  of  customers,  including  some  that  are  similar  to  the 
company  in  question. 

•  Check  to  make  sure  that  the  MSSP  can  provide  the  services 
in  the  local  geography  or  required  language. 


For  more  information,  please  call  800-874-8647  x385 
or  visit  www.unisys.com/security 


UNISYS 

Imagine  it.  Done. 


Server  Technology. 


t  [fiJetBlu 

eS  Others 


Imagine  it: 

Changing  the  model  of  the  data  center  to  reduce 
"complexity.  And  gaining  control  over  costs  and 
services  for  each  customer. 

Done: 

JetBlue  Airways  worked  with  Unisys  to  extend 
its  standardization  on  Microsoft®  Windows® 
to  the  enterprise  level.  Our  experience,  support 
and  comprehensive  services  bring  mission-critical 
reliability  and  simplified  control  with  our  ES7000 
enterprise  server.  It  scales  to  32  Intel®  Xeon™ 
processors  for  massive  power  and  efficiency. 
And  the  money  JetBlue  saves  managing  its  data 
center  it  puts  back  into  keeping  fares  low  and 
customer  satisfaction  high.  After  all,  the  more 
control  you  have  over  costs  and  complexity, 
the  more  competitive  edge  you  achieve. 


Servers  and  Services  with  precision  thinking, 
relentless  execution  to  drive  your  vision  forward. 


Imagine  it.  Done, 


XEON 


unisys.com:  1 .800.874.8647  x371 


«*  2003  Unisys  Corporation.  Unity?;  in  a  registered  tiademark  of  Unisys,  Corporation.  Intel.  Intel  Inside,  the  Intel  Inside 
lego,  and  Intel  Xeon  are  trademarks  01  registered  trademarks  ot  Intel  Cotporation  or  its  subsidiaries  in  the  United  States 
and  other  countries  2003  Microsoft  Corpoiation.  All  rights  reserved.  Microsoft.  Windows  and  the  Windows  logo 
are  either  registered  trademaiks  in  trademarks  ot  Microsoft  Corporation  in  the  United  States  and.  tv  othei  countries. 


•rfi 


InBox 

Reader  Feedback 


Editor’s  note:  Our  Sept.  1, 2003,  special  report  on  offshore  outsourcing  struck  a 
chord.  In  that  report,  we  covered  the  politics  (see  “Backlash”),  the  people  (see 
“The  Radicalization  of  Mike  Emmons”)  and  the  money  (see  “The  Hidden  Costs 
of  Offshore  Outsourcing”)  involved  in  such  endeavors.  In  addition,  Editor  in 
Chief  Abbie  Lundberg’s  editorial,  “Are  You  an  Activist?”  continued  the 
debate  as  she  asked  for  your  thoughts  on  becoming  involved  in  the  fight  to 
limit  the  number  of  H-1B  and  L-l  visas.  While  we  couldn’t  possibly  fit  all  your  letters  in  one 
issue,  we’ve  included  those  that  represent  the  wide  spectrum  of  views.  If  you  missed  the  offshore 
special  report  the  first  time  around,  find  it  at  www.cio.com/printlinks. 


THE  OFFSHORE 
DEBATE  RAGES... 

I  believe  that  corporate  executives  who 
outsource  jobs  overseas  should  have  their 
names  publicized  so  that  they  may  be 
ostracized.  I  also  believe  that  cheating 
CEOs  should  be  prosecuted,  jailed  and 
made  to  pay  restitution  to  those  they 
cheated.  Congress  can  pass  laws  that  for¬ 
bid  overseas  outsourcing,  just  as  it  can 
intervene  in  the  corporate  scandals  to 
impose  just  penalties  on  the  corporate 
executives  who  cheat  the  investors,  the 
employees  and  so  on.  Congress’s  evident 
reluctance  to  act  in  the  case  of  cheating 
corporate  executives  indicates  that  its 
members’  sympathies  lie  with  the  mis¬ 
creants.  For  that  reason,  I  believe  that 
although  Congress  can  and  should  act  to 
stop  offshore  outsourcing,  it  won’t. 

Congress,  which  P.J.  O’Rourke  casti¬ 
gated  in  his  book  Parliament  of  Whores , 
sells  its  votes  to  the  highest  bidder.  Busi¬ 
ness  is  the  highest  bidder,  so  Congress 
will  vote  according  to  the  dictates  of 
large-corporation  CEOs.  There  are  no 
statesmen  in  Congress:  no  Washington’s, 
no  Jefferson’s,  no  Franklin’s,  just  a 
bunch  of  clowns  itching  to  sell  their 
votes.  We  are  suffering  from  a  paucity 
of  leadership.  Corruption  is  rampant. 
We  are  rapidly  heading  for  the  day  when 
America  becomes  a  true  oligarchy.  An 


oligarchy  is  the  antithesis  of  democracy. 
A  solution  must  lie  outside  the  legisla¬ 
tive  process. 

Robert  Boos,  r_boos@msn.com 

In  “The  Hidden  Costs  of  Offshore  Out¬ 
sourcing,”  you  state  that  “CIOs  must 
pay  the  prevailing  U.S.  hourly  rate  to 
offshore  employees  on  temporary 
visas...”  and  that  “Indian  companies 
charge  U.S.  companies  $20  an  hour  for 
an  employee  they  pay  around  $10.” 

In  truth,  however,  American  compa¬ 
nies  do  not  pay  any  rate  to  offshore 
workers;  they  pay  it  to  the  company  that 
brings  them  over.  Typically  this  rate  is 
slightly  lower  than  what  the  company 
would  pay  to  a  U.S.-based  consultancy 
(say  $60  per  hour  instead  of  $65).  The 
Indian  consultancy  then  pays  the  off¬ 
shore  employee  the  $10-  to  $20-per- 
hour  rate  and  pockets  the  difference 
(which  can  be  up  to  a  healthy  $40  an 
hour).  Very  nice  for  the  top  brass  of 
India-based  Tata  and  Syntel  and  others; 
not  so  good  for  the  offshore  worker  or 
the  America-based  worker  they  will 
eventually  replace. 

Stephen  Lloyd 

Question:  What’s  the  difference  between 
a  CIA  agent  or  a  military  officer  who 
sells  secrets  to  a  foreign  government  and 


a  company  that  shifts  jobs  and  factories 
overseas? 

Answer:  There  is  no  difference. 

Joe  Springer 

Manager,  Software  Quality  Assurance 

More  than  a  decade  ago,  I  watched  my 
single  mother  go  from  middle  class  to 
working  poor,  thanks  to  Nafta.  During  the 
great  quest  for  cheap  labor;  my  mother 
was  displaced  and  has  never  financially 
recovered.  Now  she  is  close  to  retirement, 
has  no  401  (k)  left  and  will  spend  her 
golden  years  working  in  her  low-wage  job. 

Today  we  are  witnessing  the  same 
trend  as  corporations  have  taken  to 
moving  professional  jobs  overseas.  What 
happened  to  my  mother  is  happening  to 
a  much  younger  generation  of  Ameri¬ 
cans  and  at  a  much  faster  pace.  What 
Americans  should  be  most  concerned 
about  is  the  unlimited  influence  corpo¬ 
rate  dollars  have  over  our  government. 
While  free  trade  and  cheap  labor  have 
increased  corporate  wealth,  they  are 
crippling  working-class  families  in 
America  and  moving  them  into  poverty. 

Anonymous 


What  Do  You  Think? 


Send  your  thoughts  and  feedback  to 
letters@cio.com.  Letters  may  be  edited  for 
length  or  clarity.  For  a  link  to  the  articles 
mentioned,  go  to  www.cio.com/printlinks. 

cio.com 


CIO  OCTOBER  15,  2003  •  www.cio.com 


PHOTO  BY  ALBERTO  CAP0L1N0 


MATCHES 
A  WORK  ETHIC. 
NOT  AN  OUTFIT. 


BLACKBERRY 


©  2003  Nextel  Communications,  Inc.  NEXTEL®  and  NEXTEL.  DONE,  are  service  marks,  trademarks, 
and/or  registered  trademarks  of  Nextel  Communications,  Inc.  The  BlackBerry  and  RIM  families  of 
related  marks,  images  and  symbols  are  the  exclusive  properties  and  trademarks  and/or  registered 
trademarks  of  Research  In  Motion  Limited  -  used  by  permission.  All  rights  reserved. 


Constant  email  access. 
For  those  who  need  to 
get  things  done  instantly. 
800-NEXTEL9  /  nextel.com 


NEXTEL.  Done. 


aw 


“The  Select  Member  CIO 
you  put  me  in  touch  with 
was  knowledgeable, 
forthcoming  and  extremely 
helpful.  His  shop  and 
ours  have  much  in  common. 
The  call  was  excellent!” 

-CIO  of  a  $7  billion 
insurance  company 


wMmmi 


‘I  am  getting  tremendous 
value  out  of  the  board-level 
presentations  I  have  down¬ 
loaded  from  Select.” 

-CIO  of  a  $3  billion 
manufacturer 


BENEFIT  FROM  THE  EXPERIENCE  OF  YOUR 
PEERS -JOIN  CIO  SELECT. 

CIO  Select  is  an  exclusive 
networking  program  that 
helps  CIOs  share  ideas, 
documents  and  advice. 


Membership  in  CIO  Select  is  reserved  for  CIOs 
of  midsize  to  large  organizations. 


ClOSelect 

AN  EXCLUSIVE  PEER  SERVICE  FOR  CIOs 


For  Information  and  Membership  Pricing: 

Contact  Martha  Heller,  Director,  CIO  Select, 
at  508.988.6738  or  mheller@cio.com  or 
via  www.cio.com/community/select.html. 


InBox 


Rather  than  attempting  to  squash  the  trend  of  offshore  appli¬ 
cation  development,  I  believe  the  industry  should  come  to 
embrace  it.  As  pointed  out  in  Who  Moved  My  Cheese ?  we 
have  four  options  when  faced  with  change:  We  can  sense  the 
coming  change  and  make 
adjustments;  we  can  move  into 
quick  action  once  it  does  hap¬ 
pen;  we  can  be  devastated  by 
the  change  and  eventually  move 
on;  or,  we  can  continue  to  fight 
with  all  our  might  only  to  sit 
and  die  once  we  lose. 

I  believe  the  proper  action  is 
to  move  on  quickly  before  off¬ 
shore  development  drastically 
affects  our  lives.  Now  is  the  time  for  those  professionals  in  the 
business  of  writing  software  to  realize  that  they  are  actually  in 
the  business  of  innovating,  thinking  and  creating.  Now  is  the 
time  for  them  to  move  on  to  a  more  challenging  endeavor: 
creating  a  good  business  that  meets  the  needs  of  the  economy. 

From  a  quality-of-life  and  economic  perspective,  this  trend 
will  eventually  be  excellent  for  both  the  domestic  and  global 
economies. 

Jeff  Steward,  COO,  GreenField  Solutions 
jeff.steward@greenfieldsolutions.com 

At  my  company,  a  financial  institution,  I  see  low-level 
clerical/processing  jobs  being  moved  to  India.  The 
entire  IT  department  (myself  included)  has  been  out¬ 
sourced,  and  within  the  new  company,  global  out¬ 
sourcing  is  already  well  established.  Our  global  help 
desk  is  in  Mumbai.  My  experience  with  this  help  desk 
is  very  positive.  It  is  clear  that  I  am  dealing  with  intel¬ 
ligent,  well-educated  personnel,  who  are  superior  to 
those  I  have  experienced  on  our  U.S.  help  desks.  I 
don’t  see  how  a  company  cannot  afford  to  do  this. 

That  said,  it  is  clear  that  there  should  be  some 
effort  made  to  ease  the  effects  on  the  American 
worker.  The  laws  that  were  passed  to  allow  foreign 
workers  to  come  to  this  country  on  a  temporary 
basis  need  to  be  repealed.  There  is  no  longer  a  short¬ 
age  of  workers  in  the  technology  field,  so  the  laws 
no  longer  make  sense.  They  have  simply  enabled 
companies  to  hire  cheap  labor. 

I  have  great  sympathy  for  my  coworkers  who  have 
been  forced  out  on  the  street  with  little  chance  to 
reestablish  their  careers  in  a  poor  economy  and 
decreasing  job  opportunities.  My  salary,  which  rose 
steadily  through  the  ’90s,  has  been  frozen  for  the  past 
two  years,  and  we  have  been  told  to  expect  nothing 


from  the  new  company.  I  am  lucky  to  have  a  job  and  will  not 
be  surprised  if  I  am  let  go  when  the  transition  period  of  this  out¬ 
sourcing  initiative  is  over. 

What  will  I  do?  Look  to  health  or  education  and  a  greatly 


reduced  standard  of  living.  However,  you  might  ask,  Who 
will  be  paying  for  these  services  in  the  new  economy?  Cer¬ 
tainly  not  the  rich,  who  are  having  their  tax  burden  reduced 
at  the  same  time  they  make  the  decision  to  send  the  jobs  over¬ 
seas.  But  don’t  get  me  wrong.  This  problem  is  bigger  than  the 
“class”  warfare  Republicans  accuse  the  Democrats  of.  It  seems 
to  me  that  none  of  our  politicians  are  paying  much  attention 
to  this  issue. 

William  Parsons 

Project  Manager,  Disaster  Recovery 


Now  is  the  time  for  those  who  write  software  to  realize 
that  they  are  actually  in  the  business  of  innovating, 
thinking  and  creating.  Now  is  the  time  for  them  to  create 
a  good  business  that  meets  the  needs  of  the  economy. 


www.cio.com  '  OCTOBER  15,  2003  CIO  19 


ERPand  CRM 


x 


Trying  to  take  the  guesswork  out  of  implementing  an  ERP  or 
CRM  application  may  seem  like  an  impossible  task.  Between 
evaluating,  negotiating,  budgeting,  selecting,  and  executing 
the  plan,  the  "unknowns"  can  seem  daunting,  and  the  process 


Tour  peers  grade  the  big 
4  ERP/CRM  vendors'  performance  on 
features,  ROI,  software  quality,  ease  of 
integration,  and  vendor  services. 


never-ending. 

TURN  TO  YOUR  PEERS  — who  have  walked  this  path  before 
you— for  advice.  The  2002  ERP  and  CRM  Vendor  Scorecard 
from  Peerstone  Research  captures  the  challenges,  benefits, 
and  advice  from  the  true  experts— 163  Enterprise  Application 
users  — real  practitioners  whose  experience  will  help  you  make 
the  right  decision  for  your  enterprise. 

For  only  $795,  the  2002  ERP  and  CRM  Vendor  Scorecard  is 

delivered  right  to  your  desktop  giving  you  immediate  access  to 
the  information  you  need.  Looking  for  peer-based  ratings  for 
enterprise  software  Systems  Integrators?  See  our  companion 
report,  the  2002  Systems  Integrator  Scorecard.  Printed 
copies,  volume  pricing  and  site  licenses  available  — see  our  web 
site  for  more  information. 


Reviews  of  the  vendors  and 
verbatim  comments  from  your  peers  — 
both  pro  and  con— for  each. 


Find  out  what  your  peers  are 
saying  about  enterprise  applications' 
ability  to  create  value,  how  to  derive  the 
maximum  benefit  from  ERP  or  CRM,  and 
all  the  other  implementation  questions 
keeping  you  up  at  night. 


ERRndCRM 

Vendor 

Scorecard 

D*/ Truth  Mx  *ii  .V-lhwtir 

nsOuly  >bur  i>iri  VII  It 


Peer  :w-k?. 


»H<iQDkMN.  MMhfWOOimQfW)  mqUHi 


RESEARCH 

In  association  with  CXO  Media  Inc.,  publisher  of  CIO  and  Darwin  magazines 


«B?EXECUTIVE  DECISION  SUPPORT  TOOLS,  VISIT  THE  CIO  STORE-THE  CIO’S  KNOWLEDGE  MARKETPLACE 

www.theCIOstore.com 


InBox 


I  have  been  watching  the  public  relations  spin  that  Indian  com¬ 
panies  have  been  putting  on  the  quality  of  education  in  India. 
Most  notably,  60  Minutes  did  a  recent  piece  touting  the  supe¬ 
riority  of  the  Indian  Technology  university  to  American 
schools.  While  the  education  may  be  very  good,  I  stand  in  dis¬ 
agreement  to  its  superiority.  Creativity  and  imagination  are 
qualities  that  cannot  be  taught  to  students. 

What  I  am  seeing  in  the  industry  is  that  our  Indian  counter¬ 
parts  (and  Chinese  for  that  matter)  are  excellent  at  crunching 
numbers  and  performing  complex  mathematical  equations; 
however;  they  lack  the  ability  to  “think  outside  the  box.”  Think¬ 
ing  outside  of  the  box  is  a  quality  that  children  are  raised  with. 
American  culture  fosters  such  thinking,  while  Indian  and  Chi¬ 
nese  cultures  stress  conformity.  I  am  surprised  that  HR  groups 
have  not  examined  this  issue  entirely  before  offshoring  critical 
programming  projects. 

Lydia  P.,  IS  Project  Manager 
lydiap@attglobal.net 

The  partnership  between  the  United  States  and  India  is  growing, 
and  IT  is  one  of  the  channels.  The  United  States  is  the  world’s 
melting  pot,  and  India  is  the  “melted  pot”  of  the  past.  Strong 
education  skills,  English  communication  abilities,  a  democratic 
and  pluralistic  polity,  and  above  all  the  desire  and  ambition  to 
succeed  are  the  strong  points  of  India  and  its  people. 

A  booming  Indian  economy  also  means  more  busi¬ 
ness  for  Caterpillar  Coke,  Dell,  Ford  and  so  on.  So  — 
Americans  should  not  get  too  negative  when  the  forces 
of  globalization  affect  some  individuals.  Of  course,  it 
creates  upheavals  and  uncertainty,  but  it’s  a  byproduct 
of  the  path  we  have  chosen — global  and  free  trade. 

Alternatively  we  can  focus  on  the  positives  of 
increased  distribution  of  wealth,  a  coming  together 
of  cultures  and  new  business  opportunities.  The  solu¬ 
tion  for  Americans  in  technology  lies  in  higher  edu¬ 
cation,  business  training  and  being  on  the  cutting 
edge  of  technology.  India  is  a  potentially  huge  mar¬ 
ket  for  U.S.  corporations. 

The  partnership  between  India  and  the  United 
States  is  based  on  values  and  common  interests  that 
will  stand  the  test  of  time. 

Vinod  Kumar,  Senior  Technical  Analyst 
vinsap@yahoo.  com 

I  find  this  whole  debate  about  offshore  outsourcing 
and  its  potential  destruction  to  the  IT  industry,  econ¬ 
omy  and  so  on  rather  amusing. 

I  accepted  a  position  five  years  ago  to  relocate  to 
Brazil  and  work  on  a  large  systems  integration  pro¬ 
ject.  Brazilians  are  hard-core  activists,  and  over  time 


I  began  to  learn  that  there  is  a  lot  of  animosity  toward  the 
United  States  because  of  our  support  of  military  dictatorships 
during  the  1970s  and  ’80s  and,  more  recently,  because  of 
American-driven  globalization  efforts. 

Do  Americans  such  as  Mike  Emmons,  who  lost  his  job 
when  his  company  outsourced  to  India,  know  that  globaliza¬ 
tion  is  synonymous  with  America  in  the  world?  Do  they  know 
that  the  proliferation  of  every  American  product  is  a  result  of 
capitalistic  lobbying  efforts  to  get  a  McDonald’s  on  every  street 
corner  in  the  world?  This  is  just  a  taste  of  our  own  medicine, 
and  if  you  compare  it  with  40  years  or  so  of  significant  cor¬ 
porate  American  foreign  sales,  the  argument  is  weak. 

Capitalism — the  foundation  of  America — is  the  issue  here, 
not  CIOs  turning  on  their  employees.  As  I  see  it,  Emmons  and 
this  movement  can’t  stop  something  that  is  a  side  effect  of  the 
world  America  has  created.  Today,  back  in  the  United  States, 
my  company  is  creating  a  business  that  will  outsource  to  Brazil. 

If  you  can’t  beat  them,  join  them — and  be  the  best  at  it. 

Anonymous 

Business  Manager,  Offshore  Outsourcing 

ON  BEING  AN  ACTIVIST 

The  questions  you  raise  in  “Are  You  an  Activist?”  are  part  of 
a  broad  set  of  questions  that  managers  need  to  think  about, 
capitalizing  on  the  inevitable  migration  of  some  type  of  jobs 


Middleware. 

It’s  in  the  end  zone. 

www. cio.com  •  OCTOBER  15,  2003  CIO  21 


InBox 


elsewhere  because  of  the  functionality  offered  by  IT. 

We  have  to  face  the  challenge  of  creating  the  next  best  thing 
that  will  have  global  appeal  and  value  so  that  we  can  reap  ben¬ 
efits  from  innovation  and  creativity.  Could  it  be  biotechnology, 
life  sciences,  nanotechnology,  next-generation  softwares?  I  con¬ 
cur  with  you  that  protectionism  is  myopic,  and  U.S.  corpora¬ 
tions  will  be  competitively  disadvantaged  if  legislations  prevent 
them  from  obtaining  the  best  price  for  the  requisite  capabilities. 

Also,  I  fully  agree  that  we  must  find  a  way  to  put  an  end  to 


The  trends  we  are  seeing  today  in  terms  of  offshoring 
and  outsourcing  of  our  jobs  will  have  a  long-term, 
negative  impact  on  our  national  security  and  the 
quality  of  life  we  enjoy  in  this  nation. 


inequitable  pay-scales  when  work  is  carried  out  within  the 
United  States  (irrespective  of  the  immigration  status  of  the 
employee).  This  is  one  issue  on  which  I  could  be  an  activist 
because  the  current  practice  creates  friction  within  the  teams 
working  on  the  same  processes  and  allows  some  companies  to 
exploit  salary  arbitrage  between  Indian  wages  and  U.S.  wages. 

The  first  generation  of  multinational  corporations  exploited 
differential  cost  structures  in  physical  sources  of  advantage — land, 
material,  mines  and  factories.  The  current  generation  of  multina¬ 
tionals  is  exploiting  differential  cost  structures  in  intangible  and 
intellectual  resources — educated  labor  pool  and  brainpower.  In 
the  long  run,  we  are  better  off  searching  for  ways  to  move  up  the 
intellectual  value  chain  rather  than  protecting  historical  pay  scales 
for  talent  and  skills  that  are  out  of  sync  in  a  global,  networked 
market  for  business  processes  and  IT-enabled  services. 

N.  Venkat  Venkatraman 
Professor  of  Management, 
Chair,  IS  Department, 
Boston  University  School  of  Management 

venkat@bu.edu 

Let’s  remember  that  H-1B  visas  have  been  used  to  bring  highly 
talented  individuals  into  our  IT  workforce.  These  folks  live 
here,  spend  money  here,  and  may  become  American  citizens. 
I  feel  it  would  be  a  pity  to  shatter  the  dreams  of  these  individ¬ 
uals  for  the  wrong  reason. 

I  believe  that  if  you  interview  young  teens  today,  you  may  find 
a  root  cause  of  many  of  our  problems  in  this  country.  Many  kids 
in  school  today  are  not  taking  the  basic  math  and  science  classes 
that  “prime  the  pump”  for  the  high-level  courses  in  high  school 
and  college.  The  end  result:  an  underqualified  U.S.  workforce. 


The  fine  folks  from  India,  Asia  and  the  like  are  much  better  qual¬ 
ified  and  even  willing  to  learn  to  speak  our  version  of  English. 

Robert  Noland,  Strategic  Development  Manager 
International  Sematech  Information  Technology 
robert.noland@sematech.org 

As  an  unemployed  IT  worker  in  Connecticut,  my  biggest  con¬ 
cern  is  what  the  future  holds  for  my  2-year-old  son.  Is  he 
going  to  find  work  in  this  country  at  a  decent  wage?  What 

incentives  do  I  have  as  a  parent  in 
encouraging  him  to  pursue  a  col¬ 
lege  education  like  I  did  if  at  the 
end  of  the  road  there  are  no  jobs? 
I’d  much  rather  have  him  learn  a 
trade  (plumbing,  electrician,  car¬ 
penter)  than  seek  a  career  in  the 
corporate  community. 

I  believe  the  trends  we  are  see¬ 
ing  today  in  terms  of  offshoring 
and  outsourcing  of  our  jobs  will  have  a  long-term,  negative 
impact  on  the  competitiveness  of  our  workforce,  our  national 
security  and  the  quality  of  life  we  enjoy  in  this  nation. 

Anonymous,  Senior  Software  Programmer 

Much  of  the  U.S.  critical  infrastructure  now  depends  on  out¬ 
sourced  IT  services.  The  other  side  of  the  world  has  an  instan¬ 
taneous  impact  on  how  and  whether  the  United  States  can 
conduct  business  at  home.  Is  offshore  outsourcing  secure? 

The  security  problems  facing  U.S.  corporations  are  magnified 
many  times  when  their  IT  processes  are  stretched  across  conti¬ 
nents  by  multiple  vendors  relying  on  service  providers  that  are 
often  unknown  to  the  U.S.  clients.  While  U.S.  corporate  secu¬ 
rity  departments  have  struggled  heroically  against  worms, 
viruses  and  widespread  hacking  attempts,  what  were  their  off¬ 
shore  IT  vendors  doing  during  this  time?  Our  experience  at 
TerraFirma  Security,  an  IT  outsourcing  security  specialist,  shows 
that  very  few  companies  can  answer  that  question. 

On  recent  offshore  audits,  we  found: 

■  Facilities  with  guards  who  allowed  us  to  enter  without  passes 

■  An  offshore  development  center  (ODC)  where  no  one  checks 
firewall  logs 

■  An  ODC  with  no  security  policy 

■  Facilities  that  do  not  use  intrusion  detection 

■  U.S.  clients  that  have  never  audited  their  offshore  suppliers 

While  I  am  reluctant  to  draw  broad  public  attention  to  this 
issue  in  case  we  give  the  bad  guys  some  ideas,  I  strongly  feel  that 
it  is  imperative  to  wake  up  U.S.  corporations  to  the  inherent  risks. 

Rob  Ramer,  CEO 
TerraFirma  Security 
rob.ramer@tfsecurity.com 


CIO  OCTOBER  15,  2003  •  www.cio.com 


Sales  ixe bvrtm e n t  spots 

NEW  BUYING  TRENDS 


MARKETING  DEPARTMENT 
REPORT  ON  NEW  TREND 


Customers  have 

SOOOOO  MOVED  ON 


Is  THIS  THE  NATURE  OF  YOUR 

Business  Intelligence? 

Call  Actuate. 


it-  *  w< 


0  ACTUATE. 


Enable  your  IT  Department  to  build  scalable  Information  Applications  that  give 

ALL  USERS  ACCESS  TO  THE  RIGHT  DATA-IN  A  FORM  THEY  CAN  ACT  ON  RIGHT  AWAY. 

Start  running  the  right  kind  of  circles  around  your  competition  with  a  scalable  Business 
Intelligence  solution  that  makes  everyone  successful:  Actuated  Information  Application 
Platform.  Using  Actuate  7,  you  can  build  dashboards,  enterprise  reporting,  and  other 
Information  Applications  that  bring  information  access  and  analysis  to  100%  of  your 
organization.  All  in  forms  they  can  use  to  take  the  right  action  — like  Excel,  PDFs,  Web 
pages,  and  more.  And  unlike  traditional  business  intelligence  tools,  Actuate  7  empowers 
everyone,  not  just  power  users,  and  offers  the  lowest  TCO.  So  contact  Actuate  today 
and  let  information  branch  out  to  everyone:  1-800-914-2259. 

www.actuate.com/empower 


Actuate  Corporation  ©  2003.  All  rights  reserved.  Actuate  is  a  registered  trademark  of  Actuate  Corporation 


M 

I  r 


ANNOUNCING  the  WORLD 


-  _ -  TUp  QQLT  6001 

PREMIERE  0F  THE  S 


(DLT 


\IO  PURCHASE:  NECESSARY  Go  lo  DLTtape.  com  foi  official  rules  Sweepstakes  ends  t?  31  03  Open  to  residents  of  the  United  States  and  Canada  who  are  18  dr  oltlet  and  employed  as  an  IS  IT  professional.  Void  in  Quebec 
p  2003  Quantum  Corporation.  Ail  rights  reserved  OPTIONS  ARE  A  BEAUTIFUL  THING  DLTtape  and  DLTSage  are  trademarks  and  the  DLTtape  logo  is  a  legislated  trademark  of  Qiinnlum  Corporation.  'Based  on  ?  1  compression 


InBox 


I  believe  some  things  need  to  be  done  before  it  is  too  late. 

■  Pass  legislation  that  bars  corporations  with  more  than  20  per¬ 
cent  of  their  operations  and  employees  overseas  from  gaining 
government  contracts 

■  Pass  legislation  that  closes  the  loopholes  through  which 
multinational  corporations  can  be  made  to  look  like  they  are 
U.S.-based 

■  Raise  the  penalties  on  corporations  that  abuse  L-l  and  H-1B 
visa  regulations  so  that  it  outweighs  the  potential  savings 

■  Forget  Nafta,  GATT  and  other  one-way  trade  agreements 
and  reimpose  tariffs 

■  Provide  tax  benefits  to  corporations  that  employ  American 
workers  only 

■  Provide  a  readily  available  and  understandable  public  data 
source  to  report  on  companies  that  are  America-friendly 

■  Pass  real  campaign-finance  reform  whereby  corporations, 
not  the  citizens,  are  barred  from  contributing  to  campaigns. 
This  way,  politicians  will  have  to  rely  on  John  Q.  Public  to 
get  reelected,  not  Bill  Gates,  Larry  Ellison  or  Jack  Welch — or, 
for  that  matter,  any  foreign  government. 

Darryl  W.  Malcolm,  Director  of  IT 
malcolmd@starband.net 


One  day  in  the  not  too  distant  future,  the  shortsighted  com¬ 
panies  that  were  more  than  eager  to  send  their  work  offshore 
will  wake  up  to  find  out  that  they  have  no  company  at  all. 

Of  course,  these  companies  don’t  see  this  as  a  problem  right 
now.  They  currently  have  their  eyes  fixed  on  the  task  of  main¬ 
taining  the  stream  of  wealth  they  receive  from  their  stock 
options  and  bloated  salaries.  For  some  reason,  they  believe 
this  hoard  of  wealth  will  protect  them. 

Fools!  They  don’t  see  that  they  are  destroying  the  entire 
financial  fabric  of  this  nation. 

As  for  me,  I  will  be  surprised  if  I  am  still  employed  by  the 
end  of  the  year.  I  am  54  years  old  and  face  the  prospect  of 
possible  forced-retirement  before  I  am  55.  Who  knows,  maybe 
the  federal  government  will  lower  the  retirement  age  to  55  in 
order  to  keep  the  baby  boomers  from  burning  Washington, 
D.C.,  to  the  ground.  Then  again,  the  mountain  of  money  that 
would  be  needed  to  do  this  would  destroy  the  worth  of  the 
very  money  being  handed  out. 

I  came  into  this  world  a  member  of  a  very  poor  family.  Alas 
I  may  go  out  the  same  way. 

Raymond  Hansil 

Consultant 


Now  showing!  The  most  advanced,  highest  performing  super  drive  in  the  world! 


The  fastest  transfer  rate  available 


DUSAGE. 

A  suite  of  highly  intelligent  management  tools 


Colossal  capacity 


Backward  compatible  to  the  SDLT  320 
and  DLT  VS160  drives 


Register  to  win  a  home  theater  system!  Go  to  DLTtape.com. 


®-T 


NO  PURCHASE  NECESSARY.  Go  to  0LTtape.com  for  official  rules.  Sweepstakes  ends  12/31/03.  Open  to  legal  residents  of  the  United  States  and  Canada  who  are  18  or  older  and  employed  as  an  IS/IT  professional.  Void  in  Quebec.  ©  2003  Quantum 
Corporation.  All  rights  reserved.  OPTIONS  ARE  A  BEAUTIFUL  THING,  DLTtape  and  the  DLTSage  logo  are  trademarks  and  the  DLTtape  logo  is  a  registered  trademark  of  Quantum  Corporation.  'Based  on  2:1  compression. 


TAPE 


•  • 


•  4 

i  •  • 

#  • 


•  *  •  • 


•  * 


•  « 

•  •  • 


•  • 


•  « 


•  • 


•  •  • 


•  *  •  • 


•  •  • 
•  • 


S  • 

•  • 


•  ••••• 


•  •  • 


•  • 
•  • 


•  •  •  • 
#  •  •• 
•  • 


•  •  •  •  •  •  • 


•  • 

•  •  • 


•  •  * 


Conventional  business. 


NEC  is  a  registered  trademark  ot  NEC  Corporation.  All  other  trademarks  are  the  property  of  their  respective  owners.  ©2003  NEC  Solutions  (America),  Inc.  All  Rights  Reserved. 


Connected 

Introducing  NEC's  vision  of  the  Connected  Enterprise.  It’s  just 
not  enough  to  align  and  connect  the  dots  in  your  business 
anymore.  Not  when  your  competitors  have  IT  infrastructures 
that  perform  at  a  whole  new  level.  These  infrastructures  inte¬ 
grate  business  processes  and  real-time  information  -  about 
customers,  employees,  partners  and  suppliers  -  into  clear 
pictures  that  are  accurate  and  actionable. 

To  help  companies  compete  in  a  changing  and  challenging 
business  environment,  NEC  Solutions  America  has  united  our 
world-class  products  and  services  to  bring  you  a  very  agile 
and  resourceful  solutions  provider.  Using  an  open  and  holistic 
approach,  NEC  brings  together  best-of-class  hardware, 


business. 

software  and  services,  with  vast  experience  in  mobile  enterprise 
computing,  business  intelligence,  biometric  security,  business 
service  management  and  visual  display  solutions.  The  result: 
enterprise  knowledge  that  empowers  your  company  in  new 
ways,  to  create  measurable  improvements  in  performance, 
efficiency  and  ROI. 

That’s  NEC’s  vision  of  the  Connected  Enterprise.  And  we’re 
turning  that  vision  into  real-time  reality  for  businesses  one 
enterprise  at  a  time.  To  connect  with  us,  call  888-632-7003  or 
visit  www.necsam.com/connected. 

Empowered  by  Innovation 


The  Resource  for  Information  Executives 


President  Walter  Manninen 
Publisher  Gary  J.  Beach 

Editorial  Director  Lew  McCreary 

EDITORIAL 

Editor  in  Chief  Abbie  Lundberg 
Deputy  Editor  Richard  Pastore 
Managing  Editor  David  Rosenbaum 
Managing  Editor,  Production  Cheryl  R.  Asselin 

Executive  Editors  Alison  Bass,  Michael  Goldberg, 
Christopher  Koch 

Leadership  and  Management  Editor  Edward  Prewitt, 
Opinion  and  Knowledge  Management  Editor  Megan 
Santosus,  Research  Editor  Lorraine  Cosgrove  Ware, 
Special  Projects  Editor  Mindy  Blodgett.  Technology 

Editor  Christopher  Lindquist 

Senior  Editors  Scott  Berinato,  Todd  Datz, 

Alice  Dragoon,  Elana  Varon 

Features  Editor  Late  Low 

Senior  Writers  Meridith  Levinson,  Stephanie  Overby, 
Sarah  D.  Scalet 

Staff  Writer  Ben  Worthen 
Copy  Chief  Tom  Wailgum 

Asst.  Managing  Editor,  Production  Kathleen  S.  Carr 

Copy  Editors  Kelli  Gauthier  (Assoc.), 

Emily  S.  Henderson,  Sarah  Johnson  (Assoc.) 

Special  Projects  Manager  Lynne  Z.  Rigolini 
Editorial  Resource  Manager  Carol  Zarrow 
Editorial  Assistant  Daniel  J.  Horgan 

Contributors  Grant  Gross,  Christopher  Hoenig, 

Tom  Krazit,  Beverly  Lieberman,  David  L.  Margulius, 
Gerry  McNamara,  Mark  Polansky,  Paul  Roberts, 
Michael  Schrage,  Jonathan  Zittrain 

Editorial  Operations  Specialist  Julie  Hanson 


How  to  Reach  Us 

E-mail  letiers@cio.com 
Phone  508  872-0080 
Fax  508  879-7784 

Address  CIO  Magazine,  CXO  Media  Inc., 

492  Old  Connecticut  Path,  P.O.  Box  9208, 

Framingham,  MA  01701-9208 

Website  www.cio.com 

Topic  Experts  www.cio.com/online_beats2.html 

Subscriber  Services  866  354-1125,  Fax  847  564-9453, 
E-mail  cio@omeda.com 

Reprint  Services  Chad  Johnston  •  651  582-3800, 

E-mail  cioreprints@rsicopyright.com  (500  quantity  or  more) 

Rights  and  Permission  Andrew  Burrell  •  508  935-4785, 
E-mail  aburreli@cxo.com 


DESIGN 

Executive  Director,  Art  and  Design  Mary  Lester 
Art  Directors  Hana  Barker,  Terri  Haas,  Lisa  Munroe 
Associate  Art  Director  Owen  Edwards 
Senior  Designers  Kaajal  S.  Asher,  George  Lee 
Designer  Alberto  Capolino 
Design  Operations  Specialist  Rachel  Barnett 

ONLINE  EDITORIAL 

Web  Editorial  Director  Art  Jahnke 
Consulting  Editor  Janice  Brand 
Web  Editor  Sandy  Kendall 
Web  Writer  Jon  Surmacz 

ONLINE  &  INFORMATION  SYSTEMS 

Chief  Information  Officer  Mark  Hall 

Online 

Senior  VP/General  Manager,  Online  Tim  Horgan 
Director,  CIO  Best  Practice  Exchange  Martha  Heller 

Program  Manager,  CIO  Best  Practice  Exchange 

Sari  Kalin 

Operations  Asst.,  CIO  Best  Practice  Exchange  Lisa  Byron 
Online  Technology  Director  Dagmar  Eiben 
Senior  Web  Developer  Ellen  Morey 
Director  of  Online  Research  Kathleen  Kotwica 
E-Commerce  Manager  Andrew  Burrell 
Web  Developers  Diane  Chen,  Shannon  Macdonald 
Online  Content  Researcher  Tara  Gillet-Liloia 
Designer  Graham  White 

Information  Systems 

Infrastructure  Manager  James  C.  Burgoyne 

User  Services  Manager  Ron  Bettencourt 

Senior  User  Services  Specialists  Jonathan  Frappier, 
Michael  Fahlsing 

System  Administrator  Robert  Reagan 

CIRCULATION 

Senior  VP/Circulation  Carol  A.  Spach 
Circulation  Director  Faith  Marcello 
Subscription  Svcs.  Supervisor  Tina  Pescaro 

PRODUCTION 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Lee  Tuttle 
Senior  Production  Coordinator  Lisa  Stevenson 

EXECUTIVE  PROGRAMS 

EP  Senior  Vice  President  Jennifer  Richards 
Conference  Management  Vice  President  Cynthia  Mollus 
Marketing  Services  Director  Shellie  Rapson  James 


Business  Development  VP  John  Amato 
Program  Operations  Manager  Brian  Fuce 
Marketing  Manager  Glede  Kabongo 
Marketing  Services  Coordinator  Andrea  Slobogan 
Event  Development  Specialist  Sandra  J.  Hughey 
Operations  Coordinator  Michael  Barbato 
Event  Planning  Manager  Amy  Turell 
Senior  Customer  Services  Coordinator  Sarah  Yee 

MARKETING 

Executive  VP/Marketing  Cathy  O'Leary  Hayes 
VP/News  and  Information  Susan  Watson 
Media  Relations  Manager  Karen  Fogerty 
News  and  Information  Associate  Lori  Piscatelli 
Marketing  Research  Director  Bridget  Cammarata 
Marketing  Research  Manager  Carolyn  Johnson 
Sr.  Marketing  Research  Analyst  Dylan  DiGregorio 
Marketing  Comm.  Director  Sue  Yanovitch 
Sr.  MarCom  Development  Specialist  Kari  Curto 
Marketing  Comm.  Associate  Sarah  Crowley 

ADMINISTRATION 

Manager  of  Finance  Margarita  Chiango 
Finance  and  Operations  Analyst  Chris  Bernardi 
Executive  Assistant  to  the  President  Diane  Martin 
Billing  Administrator  Joyce  Gillis 
Facilities  Specialist  John  Kelley 
Office  Services  Coordinator  Mary  E.  Wooldridge 

HUMAN  RESOURCES 

Human  Resources  Vice  President  Patricia  Chisholm 
Human  Resources  Manager  Tanya  Bureau 
Human  Resources  Representative  Beth  S.  Ramistella 

FOUNDER 

Joseph  L.  Levy 


INTERNATIONAL  DATA  GROUP 

CEO  Pat  Kenealy 

Board  Chairman  Patrick  J.  McGovern 

WBPA 

▼  INTERNATIONAL® 

©  CXO  Media  Inc. 


8  CIO  OCTOBER  15,  2003 


www.cio.com 


RESOURCES 

C  O  N-  N  t  C  T  '  O  N 


Get  there  with  people  who  have  been  there  before. 


Finance  and  Accounting,  HR,  IT,  Internal  Audit  and  Supply  Chain 


4 


-  H 


IT’S  A  COMFORTABLE  CHAIR, 
UNLESS  YOU  HAVE  TO  SIT  IN  IT. 


Because  when  you  sit  here,  you  face  decisions. 

About  costs.  About  people.  About  how  to  survive. 

With  our  Associates  on  your  project,  with  their  skills  and  experience, 

Those  decisions  become  easier. 

The  chair  becomes  more  comfortable. 


p- 


We’re  Resources  Connection. 
We  create  value  for  clients  by 
helping  them  execute  their 
strategies  more  cost-effectively. 
We  began  as  part  of  a  Big  Four 
firm;  now  we  are  independent 
and  publicly  traded.  Our 
heritage  attracts  the  best  project 
specialists,  veterans  of  the  Big 
Four  firms  and  FORTUNE  500® 
companies  —  so  they  know  how 
it  feels  to  sit  in  that  chair. 


800-900-1131 

resourcesconnection.com 


Digital  Document 
Security  and  IT: 
Everything  you 
need  to  know. 

Q#  What  are  the  most  significant 
•  digital  copier  security  issues? 

A#  Various  copier  print  controllers 
•  are  actually  servers  that  queue 
and  permanently  store  multiple 
document  files,  providing  administrator 
access  to  the  documents.  At  a 
minimum,  most  digital  copiers  retain 
the  last  document  processed;  some 
even  retain  multiple  documents 
totaling  hundreds  of  pages.  Others 
redirect  print  jobs  when  the  printer  is 
busy  or  jammed,  making  "denial  of 
service"  attacks  possible. 

Q#  How  does  Sharp  protect  the 
•  network  interface? 

A#  The  Sharp  Ethernet  card  allows 
•  administrators  to  restrict  access 
and  disable  unnecessary  protocols. 
With  this  network  card,  the  Sharp 
digital  copier  is  essentially  protected 
by  its  own  firewall. 

Q#  How  can  you  be  sure  that 
•  security  products  actually 
perform  as  claimed? 

A#  The  Common  Criteria  program 
•  — administered  by  the  U.S. 
National  Security  Agency  and  the 
National  Institute  of  Standards  and 
Technology — evaluates  security 
solutions.  Products  that  are  validated 
under  the  program  meet  security  levels 
consistent  with  ISO  1 5408  methodology. 

Q#  How  can  Sharp  improve  IT 
•  security? 

A#  Sharp  offers  print  privacy 
•  solutions  designed  to  restrict 
unauthorized  personnel  from  seeing 
confidential  materials.  Copier  access 
can  be  controlled  and  monitored, 
while  documents  retained  in  printer/ 
copier/scanner/fax  memory  are 
immediately  cleared  to  eliminate 
unauthorized  access. 

sharpusa.com 


be  sharp™ 

©2003  Sharp  Electronics  Corporation. 


What  We  Cover, 
Who  to  Contact 


Industry 

Beats 

Automotive 

Edward  Prewitt 
eprewitt@cio.com 

Defense 

Todd  Datz 
tdatz@cio.com 

Financial  Services 

Elana  Varon 
evaron@cio.com 

Government/Public  Sector 

Todd  Datz 
tdatz@cio.com 

Health  Care 

Alison  Bass 
abass@cio.com 

Manufacturing,  Business- 
to-Business 

Christopher  Koch 
ckoch@cio.com 

Manufacturing,  Business- 
to-Consumer 

Megan  Santosus 
santosus@cio.com 


By  the  Numbers 

Lorraine  Cosgrove  Ware 
lcosgrove@cio.com 

Career  Counsel 

Kathleen  Kotwica 
kkotwica@cio.com 

Essential  Technology 

Christopher  Lindquist 
clindquist@cio.com 

The  Exchange 

Martha  Heller 
mheller@cio.com 

From  the  Editor 

Abbie  Lundberg 
lundberg@cio.com 
Richard  Pastore 
pastore@cio.com 

From  the  Publisher 

Gary  Beach 
gbeach@cio.com 

Hot  Seat 

Edward  Prewitt 
eprewitt@cio.com 

InBox 

Cheryl  Asselin 
casselin@cio.com 

Off  the  Shelf 

Carol  Zarrow 
czarrow@cio.com 


Retail 

Meridith  Levinson 
mlevinson@cio.com  • 

Transportation 

Stephanie  Overby 
soverby@cio.com 

Travel/Leisure/Entertainment 

Alice  Dragoon 
adragoon@cio.com 

Business  & 
Technology 
Beats 

Customer  Relationship 
Management  (CRM) 

Alison  Bass 
abass@cio.com 
Alice  Dragoon 
adragoon@cio.com 

E-Commerce,  Business- 
to-Business 

Christopher  Koch 
ckoch@cio.com 


On  the  Move 

Meridith  Levinson 
mlevinson@cio.com 

Peer  to  Peer 

Alison  Bass 
abass@cio.com 

Reality  Bytes 

Megan  Santosus 
santosus@cio.com 

Real  Value 

Mindy  Blodgett 
mblodgett@cio.com 

Sound  Off 

Art  Jahnke 
ajahnke@cio.com 

Total  Leadership 

Edward  Prewitt 
eprewitt@cio.com 

Trendlines 

Michael  Goldberg 
mgoldberg@cio.com 

Washington  Watch 

Elana  Varon 
evaron@cio.com 
Ben  Worthen 
bworthen@cio.com 


E-Commerce,  Business- 
to-Consumer 

Meridith  Levinson 
mlevinson@cio.com 

Emerging  Technology 

Christopher  Lindquist 
clindquist@cio.com 

Enterprise  Resource 
Planning  (ERP) 

Ben  Worthen 
bworthen@cio.com 

Integration 

Lafe  Low 
llow@cio.com 

Investigations 

Christopher  Koch 
ckoch@cio.com 

IT  Architecture 

Christopher  Koch 
ckoch@cio.com 

IT  Value  and  Measurement 

Mindy  Blodgett 
mblodgett@cio.com 
Lafe  Low 
llow@cio.com 

Knowledge  Management 

Megan  Santosus 
santosus@cio.com 

Leadership  and  Management 

Edward  Prewitt 
eprewitt@cio.com 

Outsourcing 

Stephanie  Overby 
soverby@cio.com 

Project  Management 

Mindy  Blodgett 
mblodgett@cio.com 

Public  Policy 

Elana  Varon 
evaron@cio.com 
Ben  Worthen 
bworthen@cio.com 

Security/Privacy 

Scott  Berinato 
sberinato@cio.com 
Todd  Datz 
tdatz@cio.com 

Staffing 

Stephanie  Overby 
soverby@cio.com 

Supply  Chain  Management 

Ben  Worthen 
bworthen@cio.com 

Vendor  Management 

Scott  Berinato 
sberinato@cio.com 

Web  Services 

Christopher  Lindquist 
clindquist@cio.com 
Elana  Varon 
evaron@cio.com 

Wireless 

Michael  Goldberg 
mgoldberg@cio.com 
Ben  Worthen 
bworthen@cio.com 


Columns  &  Departments 


3  0  CIO  OCTOBER  15,  2003 


www.cio.com 


How  secure  is  your  digital  information? 


Protect  your  information  with  the  Data  Security 
Kit  from  Sharp.  Financial  facts,  personnel  records, 
customer  lists:  networked  copiers/printers  process 
sensitive  information  every  day.  Unfortunately,  their 
hard  drives  can  also  be  accessed  via  the  network, 
contributing  to  $60  billion  worth  of  information 
theft  every  year*  To  protect  this  weak  link  in  your 


corporate  security,  we've  created  our  Data  Security 
Kit.  It's  the  first  copier  and  printer  protection  to 
be  validated  by  Common  Criteria,  a  government- 
sponsored  program,  and  it's  available  only  with 
our  Digital  IMAGER™  series  of  copiers/printers. 
Sharp's  Data  Security  Kit.  Enhanced  information 
protection  at  your  fingertips,  sharpusa.com/security 


be  sharp™ 


','>1^1  ""I 

i  t-  ,  3p 


m  Sip  -  i 
i  8s§ 


BT€ 


all  l=a 


Global  Business  and  IT  Consultants 
ams.com/results 


Board  of  Advisers 2003 

CIO  wishes  to  acknowledge  the  2003  Editorial  Advisory  Board  members  for  their 
ongoing  guidance  and  reality  check  of  the  magazine’s  content  and  focus.  We  thank 
them  for  their  generosity  in  sharing  their  insight  into  the  world  of  IT  leadership. 


GREGOR  BAILAR 

CIO 

Capital  One 
Falls  Church,  Va. 

MARCIA  BALESTRINO 

Senior  Vice  President 
and  CIO 

Girl  Scouts  of  the  USA 
New  York  City 

DOUG  BARKER 

CEO 

Barker  and  Scott 
Consulting 
Washington,  D.C. 

WAYNE  D.  BENNETT 

Parmer 

Bingham  McCutchen 
Boston 

BRIAN  BERTLIN 

Former  Vice  President 
and  CIO 

Washington  Group 
International 
Boise,  Idaho 

MICHAEL  EARL 

Professor  of  Information 
Management,  Dean  of 
Templeton  College 
Oxford  University 
Oxford,  England 

JOHN  GLASER 

Vice  President  and  CIO 
Partners  Healthcare 
Boston 


JERRY  GREGOIRE 

Former  CIO  of  Pepsi 
and  Dell 
Austin,  Texas 

SCOTT  HEINTZEMAN 

CIO 

Carlson  Hotels 

Worldwide 

Minneapolis 

C.  LEE  JONES 

Chairman  and  CEO 
AmericasDoctor 
Gurnee,  Ill. 

SUSAN  S.  KOZIK 

CIO  and  Vice  President 
for  Supply  Chain  and 
Corporate  Centers 
Lucent  Technologies 
Warren,  N.J. 

CHUCK  LYBROOK 

Executive  Director 
The  Information 
Management  Forum 
Atlanta 

BUD  MATHAISEL 

Corporate  Vice  President 
and  CIO 
Solectron 
Milpitas,  Calif. 

CAROLYN  T.  PURCELL 

CIO  (Retired) 

State  of  Texas 
Austin,  Texas 


REBECCA  RHOADS 

CIO 

Raytheon 
Lexington,  Mass. 

LARAINE  RODGERS 

President 

Arizona  Partnership  for 
Higher  Education  and 
Business 
Scottsdale,  Ariz. 

JIM  RYAN 

Executive  Vice  President 
of  Marketing  and  Sales 
W.W.  Grainger 
Lincolnshire,  Ill. 

THOMAS  T. 
SCHWANINGER 

Senior  Vice  President 

and  CIO 

American  Red  Cross 
Falls  Church,  Va. 

JAMES  F.  SUTTER 

Senior  Partner 
The  Peer  Consulting 
Group 

Newport  Beach,  Calif. 

RICHARD  W. 
SWANBORG  JR. 

President 

ICEX 

Boston 

PATRICIA  WALLINGTON 

President 
CIO  Associates 
University  Park,  Fla. 


At  AMS,  we  know  a  lot  about  technology. 


Even  better,  we  know  a  lot  about  the 


businesses  we  work  with.  For  more  than 


30  years  we've  helped  government 


agencies,  telecommunications  firms, 


and  financial  services  firms  achieve 


high-performance  results.  How?  Not  by 


acting  like  someone  in  our  industry,  but 


by  thinking  like  someone  in  theirs. 


IT+IQ=Results 


*  **  h  IHS 
. 


ams 


Global  Business  and  IT  Consultants 

ams.com/results 

800  255  8888 


www.cio.com  •  OCTOBER  15,  2003  CIO  33 


ONLY  ONE  REPORTING 
WORKS  ACROSS  DEPART 
ACROSS  DIVISIONS.  ACRO 

INTRODUCING  COGNOSI 


JOIN  THE  REVOLUTION 


It’s  not  an  evolution.  It’s  a  revolution. 

Introducing  Cognos  ReportNet™  the  new  enterprise  reporting  standard. 
Now,  you  can  deliver  consistent  information  across  your  business. 
Replace  stand-alone  reporting  tools  with  the  only  solution  that  handles 
everything  from  customized  queries  to  production  reports. 

Build  reports  once.  Deploy  in  any  language.  Automatically. 

Make  your  IT  team  and  users  more  productive. 

All  on  a  zero-footprint,  open  architecture  built  specifically  for  the  Web. 

See  how  you  can  drive  performance. 

Read  about  Breakthrough  Reporting  at: 


opyright  ©  2003  Cognos  Incorporated.  All  rights  reserved. 


SOLUTION 

MENTS. 

»S  THE  PLANET. 
REPORTNET. 


BREAKTHROUGH  REPORTING 
GLOBAL  SERIES 

Americas 

3  Sep  Los  Angeles,  CA 

4  Sep  Dallas,  TX 

16  Sep  Toronto,  ON 
18  Sep  Iselin,  NJ 

23  Sep  Calgary,  AB 

23  Sep  Minneapolis,  MN 

24  Sep  Milwaukee,  WI 

24  Sep  Seattle,  WA 

25  Sep  Portland,  OR 

25  Sep  St.  Louis,  MO 

26  Sep  Kansas  City,  KS 

1  Oct  Boston,  MA 

2  Oct  Washington,  DC 
2  Oct  Phoenix,  AZ 

7  Oct  Nashville,  TN 

7  Oct  Sao  Paulo,  Brazil 

8  Oct  Philadelphia,  PA 

8  Oct  Ft.  Lauderdale,  FL 

9  Oct  Pittsburgh,  PA 
15  Oct  Atlanta,  GA 

17  Oct  Flouston,  TX 
21  Oct  Hartford,  CT 
21  Oct  Raleigh,  NC 

21  Oct  Cincinnati,  OH 

22  Oct  Cleveland,  OH 
22  Oct  Richmond,  VA 

22  Oct  Mexico  City,  Mexico 

23  Oct  Rochester,  NY 
23  Oct  Detroit,  MI 

23  Oct  Montreal,  QC 

24  Oct  Indianapolis,  IN 
28  Oct  Denver,  CO 

4  Nov  Edmonton,  AB 

20  Nov  Ottawa,  ON 

Europe 

10  Sep  Vienna,  Austria 

1  Oct  Lausanne,  Switzerland 

7  Oct  Frankfurt,  Germany 

8  Oct  Amsterdam,  Netherlands 

9  Oct  Paris,  France 

10  Oct  Helsinki,  Finland 

13  Oct  Birmingham,  England 

14  Oct  Brussels,  Belgium 

15  Oct  Stockholm,  Sweden 

16  Oct  Zurich,  Switzerland 

Asia  Pacific 

21  Oct  Perth,  Australia 

22  Oct  Brisbane,  Australia 

23  Oct  Canberra,  Australia 
28  Oct  Adelaide,  Australia 

28  Oct  Tokyo,  Japan 

29  Oct  Melbourne,  Australia 

30  Oct  Sydney,  Australia 
4  Nov  Osaka,  Japan 

Register  today  at 

www.cognos.com/reportnet/events. 


trenqines 

Edited  by  Michael  Goldberg 


BUSINESS  CONTINUITY 

Next  Time  the 
Lights  Go  Out... 


WHEN  THE  LIGHTS  went  out  Aug.  14, 
darkening  much  of  the  Northeast  from 
Detroit  to  New  York  and  into  Canada, 
Matthew  Hunt  was  ready.  The  CTO  of 
Omnipod,  a  communications  services 
provider  based  in  a  post  World  War  1 1 -era 
Manhattan  building,  had  a  week’s  worth  of 
diesel  fuel  to  run  a  power  generator  in  the 
basement.  Several  blocks  away  at  Capital 
Printing  Systems,  CIO  Craig  Sisler 
activated  his  company's  backup  data  site 
in  New  Jersey  as  his  colleagues  draped 
plastic  over  the  servers  in  case  the  build¬ 
ing's  sprinkler  system  rained  on  them. 

Business  continuity  means  preparing 
forthe  unexpected.  This  time,  the  unex¬ 


pected  was  the  biggest  power  outage 
in  American  history,  affecting  up  to 
50  million  people.  And  this  time,  CIOs  at 
companies  big  and  small— some  prodded 
by  memories  of  September  11,  others 
dusting  off  Y2K  to-do  lists— deployed 
continuity  plans  that,  experts  say,  effec¬ 
tively  limited  the  blackout’s  damage. 

But  even  where  recovery  efforts  went 
swimmingly,  experts  and  IT  executives  say 
there  are  lessons  to  learn  from  the  black¬ 
out  of  2003. 

Put  people  first.  Employees  at  all  levels 
of  a  company  need  to  know  not  only  what’s 
happening,  but  what  they  need  to  do. 

Continued  on  Page  38 


SECURITY 

Virus  Attacks 

WHAT  A  MONTH.  Human  frailty,  spam 
and  a  dangerous  Microsoft  Windows 
vulnerability  combined  to  produce  four 
major  Internet  worm  attacks  in  August. 
A  rundown: 

■  The  W32.Mimail,  a  mass  e-mailed 
worm,  looks  like  a  system  administra¬ 
tor’s  message. 

■  The  W32. Blaster  Internet  worm 
exploits  a  flaw  in  Windows’  implemen¬ 
tation  of  the  remote  procedure  call 
(RPC)  protocol  and  spreads  worldwide 
in  a  matter  of  hours,  infecting  hundreds 
of  thousands  of  Windows  machines. 

■  Others  emerge  that  exploit  the  same 
vulnerability  as  Blaster,  including 
W32.Welchia,  which  disrupts  networks 
while  PC  users  try  to  patch  the  RPC  vul¬ 
nerability. 

■  A  new  version  of  the  Sobig  worm, 
W32.Sobig.F,  bombards  e-mail  accounts 
worldwide. 

Experts  agree  that  these  worms  are 
so  effective  because  they  spread  rapidly 
via  e-mail,  they  attack  Windows,  and 
they  are  relatively  easy  to  assemble.  The 
only  consensus  about  prevention  is  on 
how  much  work  it  takes:  for  Microsoft, 
antivirus  vendors  and  user  companies. 

CIO  John  Halamka  of  CareGroup 
and  Beth  Israel  Deaconess  Medical 
Center  says  a  combination  of  firewall, 
network  intrusion  detection  systems, 
antivirus  software  and  patches  worked 
to  keep  his  facilities  worm-free  during 
the  outbreak.  Halamka’s  IT  staff  held 
what  he  called  an  “all  nightmare- 
athon”  patching  session  in  late  July  for 
the  hospital’s  130  Windows  servers. 
Worm-free,  yes.  Cost-free,  no. 


People  flooded  New  York’s  Times 
Square  after  the  Aug.  14  blackout 
darkened  the  city’s  concrete  canyons. 


PHOTO  BY  AP/WIDE  WORLD  PHOTOS 


Plan  A: 

React  to  demands  for  business  integration 
by  trashing  your  legacy  systems. 
Promise  results.  Deliver  excuses. 
Re-direct  blame.  Avoid  eye  contact. 


Plan  B: 


Gentran  Integration  Suite™. 


Welcome  to  a  new  way  of  thinking.  Gentran  Integration  Suite 
provides  a  modular  approach  to  your  business  integration  initiative. 
Fast  to  deploy.  Easy  to  support.  Easy  on  your  budget  —  today  and 
tomorrow.  We  think  of  it  as  B2B  and  EAI  without  the  CYA. 

Find  out  how  to  prepare  for  the  future  by  building  on  your 
existing  infrastructure.  For  your  free  information  kit,  visit 


sterlingcommerce.com/plan/gentran. 


GENTRAN  INTEGRATION  SUITE™  STERLING  INFORMATION  BROKER™  CONNECT*  OUTSOURCING 


©  2003  Sterling  Commerce,  Inc.  ALL  RIGHTS  RESERVED.  Sterling  Commerce  and  the  Sterling  Commerce  logo  are  trademarks  of  Sterling  Commerce,  Inc.  Sterling  Commerce  is  an  SBC  Communications,  Inc.  company. 


trendlines 


Lights  Go  Out 

Continued  from  Page  36 

Sisler  says  he's  making  communications  a 
priority  as  he  updates  his  company’s 
disaster  recovery  plan.  “We  need  to  set  up  a 
voice-mail  system  at  a  separate  geographic 
location  that  employees  can  call  to  get  a 
recorded  message.  Without  that,  we  left  a 
lot  of  people  literally  and  figuratively  in  the 
dark,"  he  says. 

Protect  systems  and  data  integrity.  The 

blackout  is  inspiring  many  companies  to 
implement  new  backup  and  storage 
procedures  so  that  “when  the  power  comes 
back  on,  there’s  an  ability  to  resynchronize 
data  and  systems,"  says  Michael  Cray, 
business  continuity  solutions  director  at 
Forsythe  Solutions  Group.  Ken  Steinhardt, 
technology  analysis  director  at  storage 
vendor  EMC,  adds  that  most  storage 


systems  come  with  backup  battery  sup¬ 
plies  (like  EMC’s,  which  automatically  store 
cached  data  onto  a  disk  when  the  power 
goes  out).  The  largest  companies  run 
remote  data  replication  systems  to  second 
and  sometimes  third  data  centers. 

Prioritize  business  processes.  "You 
need  to  make  sure  you  can  recover  those 
processes  that  are  most  critical,”  Croy  says. 
For  example,  a  bank  that’s  a  Forsythe  client 
realized  that  when  the  lights  go  out  what 
people  want  is  cash.  So  the  bank  needs  to 
prioritize  getting  its  ATMs  back  online. 

Practice,  practice,  practice.  “We  did  a 
ton  of  testing  on  procedures  during  Y2K 
preparations,"  says  Jim  Simmons,  CEO  of 
SunGard  Availability  Services.  "And  when  I 
woke  on  Jan.  1,  2000, 1  thought,  boy,  what  a 


waste  that  exercise  was.  Now,  three  years 
later,  it's  come  in  handy."  SunGard  saw  67 
companies  demand  backup  and  recovery 
services  during  the  blackout,  its  second- 
highest  total  (after  9/11, 77  customers 
declared  disasters). 

Postmortems  should  be  in  the  plan.  That 
bank  now  knows  to  focus  on  ATMs.  And 
Sisler  sought  feedback  from  all  105  staffers 
at  Capital  Printing.  “You  can  become 
insular  when  you  have  a  committee  work¬ 
ing  on  something,”  he  says.  One  item  he’s 
investigating  is  food.  “It  may  sound  crazy, 
but  I  contacted  an  organization  that 
distributes  MREs  (meals  ready-to-eat)  to 
the  military.  MREs  have  a  long  shelf  life, 
and  they  don’t  take  up  much  space.” 

-Michael  Goldberg  and  Kathleen  Carr 


E-COMMERCE  S  TRATEGY 


Amazon.com,  Software  Vendor 


from  Amazon’s  continued  software  develop¬ 
ment.  “We  would  choose  not  to  make  that 
type  of  investment,”  Nitschke  says. 

Stabingas  won’t  say  how  much  retailers 
will  have  to  pay  for  Amazon’s  technology 
and  services,  only  that  the  company  aims 
to  keep  the  initial  investment  costs  low  and 
earn  its  fees  through  its  revenue-sharing 
arrangements.  So  every  purchase  “click”  for 
one  of  its  merchant  partners  sounds  a 
“clink”  for  Amazon’s  coffers. 

-Elana  Varon 


IN  THE  LATEST  tweak  to  its  ever-evolving 
business  model,  online  retailer  Amazon.com 
is  hawking  its  own  e-commerce  technology — 
software,  website  developing  and  hosting — 
through  a  new  subsidiary,  Amazon  Services. 

Amazon  Services  grew  out  of  Amazon- 
.com’s  partnerships  with  Toys  “R”  Us  and 
Target,  both  of  which  use  Amazon’s  tech¬ 
nology  to  power  their  own  websites  in  addi¬ 
tion  to  selling  on  the  Amazon  site.  “We’re 
thinking  about  ourselves  as  a  technology 
company  and  a  technology  platform,”  says 
Mark  Stabingas,  Amazon.com’s  vice  presi¬ 
dent  of  worldwide  business  development 
and  services  sales.  “The  universe  of  oppor¬ 
tunity  is  larger  than  if  we  just  want  to  think 
about  ourselves  as  a  retail  business.” 

The  sale  of  products  by  third  parties  on 
Amazon’s  website  is  a  fast-growing  portion 
of  the  company’s  business,  accounting  for 
20  percent  of  units  sold  in  the  second  quar¬ 
ter  of  2003 — compared  with  14  percent  of 
units  a  year  ago.  Amazon  gets  a  cut  of  those 
sales.  Tim  Clark,  an  e-commerce  analyst 
and  partner  with  FactPoint  Group,  says  the 
move  makes  sense  as  a  way  for  Amazon  to 
recoup  its  IT  investment.  (Amazon  reports  it 
has  spent  on  average  $242  million  per  year 
on  IT  since  2000.) 

But  a  technology  partnership  with  Ama¬ 


zon  isn’t  for  everyone,  cautions  Carrie 
Johnson,  a  senior  analyst  with  Forrester 
Research.  For  one  thing,  she  says, 
adopting  Amazon’s  software 
platform  is  pretty  much  an 
all-or-nothing  proposition, 
and  there  aren’t  many 
retailers  right  now  that 
want  to  replace  their  e- 
commerce  systems.  And 
you’re  also  committed  to 
how  Amazon  presents  the 
shopping  experience. 

Retailers  that  sell  commodities 
such  as  books,  music  and  sporting 
goods  can  probably  live  with  these  con¬ 
straints,  Johnson  adds,  but  companies  that 
want  lots  of  control  over  how  they  position 
their  brands  online  may  want  to  look  else¬ 
where  for  their  e-commerce  infrastructures. 
There’s  no  requirement  for  merchants  to 
adopt  Amazon’s  platform  to  set  up  a  sales 
channel  on  the  Amazon.com  site. 

In  August,  Target  renewed  its  contract  with 
Amazon  for  another  five  years.  Dale  Nitschke, 
president  of  Target  Direct,  says  there  have 
been  some  non-IT  benefits  to  the  relationship 
(for  example,  Target  Direct  outsources  its 
order  fulfillment  and  customer  service  to 
Amazon).  With  the  partnership,  Target  gains 


8  CIO  OCTOBER  15,  2003 


www.cio.com 


ILLUSTRATION  BY  LEO  ESPINOSA 


Not  on  our  watch. 


PeopleSoft  Supplier  Relationship  Management. 

The  only  solution  to  manage  all  of  your  enterprise  spend  in  real  time. 

PeopleSoft  SRM  enables  you  to  proactively  control  all  of  your  enterprise  spend— from  direct  goods  to  indirect  goods  to 
capital  assets  to  services.  And  because  you  are  connected  to  all  of  your  suppliers  over  the  Web,  you  can  manage  it  all  in 
real  time,  and  always  act  before  it's  too  late.  Learn  more  by  visiting  us  atwww.peoplesoft.com/realtime  or  call  1-888-773-8277. 


PeopleSoft 


Supplier  Relationship  Management 


M 


m 


,/■ 


*003  PeopleSoft,  Inc.  PeopleSoft  is  a  registered  trademark  of  PeopleSoft.  Inc. 


&  | 
u 


a 


trendlines 


Edited  by  Elana  Varon 


SECURITY 


ALERTS 


New  Warning  System  Taps  Security 
Contractors  for  Attack  Data 


WITH  ITS  NEW  Cyber  Warning  and  Infor¬ 
mation  Network,  the  Department  of 
Homeland  Security  finally  may  have  hit  on 
the  right  model  to  ensure  that  the  private 
sector  shares  cyberattack  information  with 
the  feds — by  getting  information  from 
security  providers  instead  of  the  victims. 

First  proposed  in  2001  by  former  cyber¬ 
security  czar  Richard  Clarke,  the  program 
provides  an  information  collection  and  dis¬ 
semination  network  for  government  agen¬ 
cies  and  private-sector  information  security 
companies  that  clean  up  after  cyberattacks. 
When  a  security  breach  occurs,  network 
members  have  agreed  to  report  the  details  to 
the  network  (run  by  DHS),  which  in  turn 
would  alert  via  e-mail  and  a  telephone  hot¬ 
line  others  that  may  be  at  risk.  It  all  comes 
at  a  good  time  because  attacks  are  on  the 
rise.  According  to  one  network  member, 
vendor  Internet  Security  Systems,  the  num¬ 
ber  of  serious  security  threats  will  more  than 
double  this  year  compared  with  last. 

As  outlined  by  the  Bush  administration, 
the  network  differs  from  previous  initiatives 
in  that  it  doesn’t  depend  on  victims  to  notify 
the  government  of  an  attack.  As  such,  says 
Alan  Paller,  research  director  with  the  SANS 
Institute,  it  avoids  a  major  shortcoming  of 
earlier  efforts  at  cooperation  that  relied  on 
companies  to  volunteer  information.  Offi¬ 
cials,  instead,  obtain  information  about  secu¬ 
rity  breaches  from  the  security  service 
providers  most  large  companies  have  on  con¬ 
tract.  As  a  model,  think  of  the  Centers  for 
Disease  Control  and  Prevention,  which  col- 
leas  health  information  from  doaors,  rather 
than  patients.  The  network  is  already  live, 
says  DHS  spokesman  David  Ray,  and  was 
used  to  exchange  information  during  the 
Northeast  blackouts  in  August. 


Right  now,  says  Peter  Allor, 
manager  of  X-Force  Threat 
Intelligence  Services  with  Internet 
Security  Systems,  the  govern¬ 
ment  is  choosing  which  vendors 
get  to  join — a  factor,  he  says,  of 
the  high  cost  for  DHS  to  con¬ 
nect  new  members  to  a  private 
network  that  is  not  connected  to 
the  Internet.  Unfortunately,  be- 


REGULATION 


cause  end  user  companies  don’t  participate 
in  the  service  directly,  CIOs  will  be  able  to 
benefit  from  it  only  if  their  security 
providers  are  members — for  now  leaving 
CIOs  whose  providers  are  not 
part  of  the  system  out  in  the 
cold  when  a  serious  attack 
occurs.  Meanwhile,  CIOs  who 
have  contracts  with  an  app¬ 
roved  network  member  need  to 

Lmake  sure  that  their  contracts 
include  language  that  allows  the 
contractor  to  report  any  secu¬ 
rity  breaches  that  occur. 

-Ben  Worth en 


Congressman  Wants  Companies 
to  Report  Cyberdefense  Steps 

AMID  THE  FALLOUT  from  summer  battles  against  the  Sobig  and  Blaster  worms, 
one  influential  member  of  Congress  is  considering  whether  to  force  companies  to 
publicize  their  readiness  to  combat  future  cyberattacks. 

Rep.  Adam  Putnam  (R-Fla.),  head  of  the  House  Subcommittee  on  Technology, 
Information  Policy,  Intergovernmental  Relations  and  the  Census,  wants  compa¬ 
nies  to  fill  out  a  cybersecurity  checklist  in  their  filings  with  the  SEC.  Though  the 
feeling  on  Capitol  Hill  is  that  companies  aren’t  doing  enough  to  secure  their  piece 
of  the  Internet,  Putnam  is  the  first  legislator  to  endorse  a  reporting  requirement. 

After  a  subcommittee  hearing  last  month,  Putnam  said  his  approach  would 
force  executives  of  publicly  traded  companies  to  pay  attention  to  cybersecurity.  "It 
is  the  least  blunt  instrument  and  the  least  regulatory  approach,”  Putnam  said. 

Because  he  hadn't  introduced  any  legislation  as  of  mid-September,  it’s  unlikely 
such  a  bill  would  pass  this  year,  but  some  cybersecurity  experts  predict  any  more 
Internet  attacks  would  put  pressure  on  Congress  to  take  action  sooner. 

Bob  Dix,  the  subcommittee’s  staff  director,  says  a  cybersecurity  reporting 
requirement  styled  after  the  financial  reporting  rules  in  the  Sarbanes-Oxley  Act 
would  raise  awareness  among  top-level  executives.  Disclosures  could  take  the 
form  of  a  checklist,  asking  such  questions  as,  Do  you  have  an  up-to-date  IT  assets 
list?  Companies  that  have  several  unchecked  items  may  cause  concern  among 
stockholders,  board  members  or  customers,  and  be  forced  by  the  marketplace  to 
deal  with  cybersecurity,  say  the  concept’s  supporters.  -Grant  Gross 


CIO  OCTOBER  15,  2  003 


www.cio.com 


PHOTO  BY  CHRIS  HARTLOVE 


Exclusive! 


Baylor  goes  to  the 
head  of  the  IT  class. 


Baylor  University 

Deploys  Business-Driven  Network .™ 

Serving  the  educational  and  recreational  needs  of  14,000  students  is  a  tall  order 
for  any  IT  department.  You  have  to  ensure  access  to  critical  classroom  resources 
as  well  as  provide  the  Internet  and  e-mail  services  expected  by  today’s 
technology-sawy  students.  And  security  cannot  be  compromised. 

That’s  why  Baylor  University  turned  to  Enterasys  and  its  unique  Secure  Networks 
solution.  Through  a  simple-to-administer  interface,  IT  managers  can  assign  very 
specific  access  privileges  that  stay  with  students  wherever  or  however  they  log 
on.  From  class  or  the  residence  hall.  Wired  or  wireless. 


Secure  Networks  Webcast 


The  network  runs  smoother.  Security  is  pervasive.  And  students  are  happy. 


Don’t  miss  this  informative  webcast 
featuring  Gartner  and  other  industry  experts  as 
we  address  the  best  practices  for  deploying 
enterprise-wide  security. 

Register  now! 


Get  the  full  story  at  enterasys.com/baylor 

- ENTERASYS 


Visit  us  at  itworld.com/enterasyssecurity  _  _  _  _  „  _ 

NETWORKS™ 


*  *  *  *  t  #  1 1 « f  i  * 

w 


trff 

mm 


itmtitiintnuinitt 
'""'nnntntrtnu 
nniuntnuunutii 
tituumtuinnuft) 
imunntuui 
if  ifinrif  Mifffi 
Ml  I  Mill  lllf 
Iff  If  »  If  Mil 


riurimi 
trttttuu 

... . ....ttntnm 

tniutfitnifiiimu 

ttinininunumu 


m,  nmu  <>><<iun0  Um<<>>-. 


Dell  has  a  customized  IT  solution  for  your  business,  no  matter  what  business  you're  in,  or  what  size  it  is.  From  PowerEdge" 
servers  featuring  Intel®  Xeorf  processors  to  network  support  products  like  PowerVault”  Storage  and  PowerConnect™  switches,  Dell  offers 
flexible,  high-performance  industry-standard  technologies  and  software  solutions  that  are  just  right  for  your  particular  business  needs. 
And  well  help  you  every  step  along  the  way.  Whether  it's  planning  and  design,  testing  and  validation,  systems  management,  or  our 
award-winning  24x7  service  and  support,  Dell  will  help  you  create  an  IT  infrastructure  that's  easy  to  choose,  deploy  and  manage. 
So  make  life  easy  on  yourself  and  get  a  big  advantage  over  your  competition  -  with  a  unique  IT  solution  from  Dell. 

Dell  Rated  #1  in  Intel-Based  Server  Satisfaction 

21  Out  of  22  Consecutive  Quarters 
Technology  Business  Research 
Corporate  IT  Buying  Behavior  and  Customer  Satisfaction  Study 

First  Quarter  2003 
-July  2003 


'a-8p  Sat  8a-5p,  CT 

‘ications,  availability  and  terms  of  offer  may  change  without  notice.  Taxes  and  shipping  charges  extra,  and  vary  and  not  subject  to  discounts.  U.S.  Dell  Small  Business  new  purchases  only.  Dell  cannot  be  held  responsible  for  errors  in  typography 
ny.  'This  device  has  not  been  approved  by  the  Federal  Communications  Commission  for  use  in  a  residential  environment.  This  device  is  not,  and  may  not  be,  offered  for  sale  or  lease,  or  sold  or  leased  for  use  in  a  residential  environment  until  the 
o  FCC  has  been  obtained  'Service  may  be  provided  by  third  party.  Technician  will  be  dispatched  following  phone-based  troubleshooting  Subject  to  parts  availability,  geographical  restrictions  and  terms  of  service  contract.  Service  timing  dependent 
:ay  call  placed  to  Dell  U.S.  only.  '’DDR  333  memory  runs  at  320MHz  when  used  with  800MHz  FSB  processors.  ^Monthly  payment  based  on  pre-rebate  price  for  48-month  60  Days  Same-As-Cash-QuickLoan  with  46  payments  at  9.99%  interest 
.'9st  rate  and  monthly  payment  may  be  same  or  higher,  depending  on  your  creditworthiness.  If  you  do  not  pay  the  balance  within  60  days  of  the  Quickloan  Commencement  Date  {which  is  five  days  after  product  ships),  interest  will  accrue  during 
days  and  a  documentation  fee  may  apply.  OFFER  VARIES  BY  CREDITWORTHINESS  OF  CUSTOMER  AS  DETERMINED  BY  LENDER.  Minimum  transaction  size  of  $500  required.  Maximum  aggregate  financed  amount  for  the  paperless  acceptance 


Services 


File&Print  Servers 


From  entry-level  servers  to  robust  rack-mountable 
solutions  that  fit  existing  infrastructures. 


/V£W  POWER  EDGE™  400SC  SERVER 


Small  Business  Value  Server 

•  Intel®  Celeron®  Processor  at  2GHz 

•  Upgradable  to  Intel®  Pentium®  4  Processor  at  3.20GHz 
with  800MHz  Front  Side  Bus” 

•  128MB  333MHz  ECC  DDR  SDRAM  (Up  to  4GB) 

•  40GB  (7200  RPM)  IDE  Hard  Drive 

•  Upgradable  to  240GB  of  Internal  Hard  Drive  Storage 

•  Embedded  Intel®  PRO  Gigabit50  NIC 

•  1-Yr  24x7  Dedicated  Server  Phone  Tech  Support 

•  1-Yr  Next  Business  Day  On-Site  Service3 

•  Small  Business  Pricing 


E-VALUE  Code:  18581-S21003g 


A/EWPOWEREDGE™  650*  SERVER 


Low-Cost,  General-Purpose  1U  Server 

•  Intel®  Pentium®  4  Processor  at  2.40GHz 

•  Upgradable  to  Intel®  Pentium®  4  Processor  at  3.06GHz 

•  128MB  266MHz  ECC  DDR  SDRAM 

•  Upgradable  to  3GB  of  SDRAM 

•  40GB  (7200  RPM)  IDE  Hard  Drive 

•  Upgradable  to  146GB  of  Internal  Hard  Drive  Storage 

•  ATA  1 00  IDE  RAID  Controller  Available 

•  Intel®  PRO  Gigabit50  NIC 

•  3-Yr  Next  Business  Day  On-Site  Service3 

•  Small  Business  Pricing 

1 QQ  as  low  as  $32/mo„  (46  pmts.30) 

|  |  E-VALUE  Code:  18581-S21011g 


Purchase 


Dell  offers  a  wide  range  of  reliable,  award-winning 
technology,  all  delivered  from  a  single  point  of  contact  -  and 
our  expert  sales  associates  are  there  to  help  you  find  the 
technology  that's  right  for  your  business. 


Installation  -  Starting  at  $199 


Once  you've  selected  the  right  technology,  Dell  can  help  you 
get  it  up  and  running  quickly  and  cost-effectively  with  our 
custom  on-site  installation  and  configuration  services. 


Database8tWeb  Application-specific  servers 
Hosting  Sarvars  that  can  meet  most  any  challenge. 


POWEREDGE™  2600  SERVER 


High-Performance  Tower  Server 

•  Intel®  Xeon”  Processor  at  2.40GHz 

•  Dual  Intel®  Xeon”  Processor  Capable  (Up  to  3.06GHz) 

•  512MB  266MHz  ECC  DDR  SDRAM 
«  Upgradable  to  6GB  of  SDRAM 

•  36GB  (10K  RPM)  Ultra320  SCSI  Hot-Swap  Hard  Drive 

•  Active  ID  Bezel  for  Manageability 

•  3-Yr  Next  Business  Day  On-Site  Service3 

•  Small  Business  Pricing 

as  low  as  $49/mo„  (46  pmts.30) 

|  /  E-VALUE  Code:  18581-S21017g 


POWEREDGE™  1750*  SERVER 


1U  High-Performance  Rack  Server 

•  Intel®  Xeon”  Processor  at  2.40GHz 

•  Dual  Intel®  Xeon”  Processor  Capable  (Up  to  3.06GHz) 

•  256MB  266MHz  ECC  DDR  SDRAM  (Up  to  8GB) 

•  36GB  (10K  RPM)  Ultra320  SCSI  Hot-Swap  Hard  Drive 

•  Integrated  Dual-Channel  Ultra320  SCSI  Controller 

•  Active  ID  Front  Bezel  for  Monitoring  System  Health 

•  3-Yr  Next  Business  Day  On-Site  Service3 

•  Small  Business  Pricing 

as  lowas$51/mo„  (46  pmts.30) 

e-value  code:  i858i-S2ioi8g 


Training  &  Certification  -  Starting  at  $100 


After  installation,  Dell  can  help  turn  your  employees  or  IT 
staff  into  experts  on  your  new  technology  through  a  variety 
of  training  and  certification  courses  -  helping  increase  your 
business'  long-term  productivity. 


Service  &  Support 


The  support  doesn't  end  at  the  sale.  Dell's  award-winning 
service  and  support  offerings  help  ensure  that  your  new 
network  remains  up  and  running  -  with  Web,  phone  or 
on-site  service3  and  support. 


4-Way  Servers 

Handle  intense  networking  needs  with  ease. 

POWEREDGE™  6600*  SERVER 


Quad  Processing  Power  in  Rack-Mountable  or 
Tower  Form  Factors 

•  Up  to  Four  Intel®  Xeon”  Processors  at  1 ,50GHz 

•  Up  to  32GB  DDR266  ECC  SDRAM 

•  Up  to  1752GB  Maximum  Internal  HDD  Storage 

•  Embedded  Ultra  SCSI  Adaptec®  (160MB/s)  Controller 

•  Standard  Hot-Swap  Hard  Drives,  Hot-Swap  Redundant 
Fans  and  Hot-Swap  Redundant  Power  Supplies 

•  10  Hot-Plug  PCI-X  Slots 

starting  at 

QQQ  as  'ow  as  $107/mo.,  (46  pmts.30) 

E-VALUE  Code:  18581-S21039g 


Storage  Options 

Enhance  your  server  capabilities. 

DELL™  POWERVAULT™  725N  NAS 


Optimized  File  Storage  Across  the  LAN 

•  Intel®  Celeron®  Processor  at  2GHz 

•  384MB  DDR  SDRAM  (Up  to  3GB) 

•  4x40GB  (160GB)  IDE  Hard  Drives 

•  Up  to  1 TB  of  Internal  Storage  Capacity 

•  Microsoft®  Windows®  Powered  Network  Attached  Storage 

0  ^  TF  as  low  as  $49/mo„  (46  pmts?0) 

V  |  |  J  E-VALUE  Code:  18581-S21017 


DELL/EMC 


If  you  have  more  than  300GB  of  storage,  visit 

www.dell.com/storage4mybiz  for  low  prices  on 
Dell/EMC  storage  arrays. 


Network  Switches 

Scalable,  high-performance  switches 
to  enhance  your  network. 

POWERCONNECT™  3324*  SWITCH 


High-Performance  Workgroup  Switch 

•  24  Fast  Ethernet  Ports  plus  2  Gigabit  Uplinks  (2  Copper  and 
2  SFP  Transceiver  Combo  Slots  for  Fiber) 

•  Stacking  Functionality  of  Up  to  192  Ports 

•  Advanced  Network  Management  and  Security  Features 

•  Industry  Standard  CLI  and  Easy-to-Use  Web  Interface 

•  3-Yr  Next  Business  Day  Advanced  Exchange 
Service52  Standard 

^  t\  AQ  as  low  as  $14/mo.,  (46  pmts?0) 

E-VALUE  Code:  18581-S11004 


Solutions  that  fit.  Easy  as 


IKHLL 


Click  www.dell.com/bizsolutions  Call  1-877-420-3355 


toll  free 


not  to  exceed  $25,000.  If  your  order  exceeds  $25K,  a  Dell  Financial  Services  rep  will  contact  you  to  process  your  documentation.  Taxes,  fees  and  shipping  charges  are  extra  and  may  vary.  Not  valid  on  past  orders  or  financing. 
QuickLoan  arranged  by  CIT  Bank  to  Small  Business  customers  with  approved  credit.  “This  term  indicates  compliance  with  IEEE  standard  802. 3ab  for  Gigabit  Ethernet,  and  does  not  connote  actual  operating  speed  of  IGB/sec.  For 
high-speed  transmission,  connection  to  a  Gigabit  Ethernet  server  and  network  infrastructure  is  required.  ’-’Technician,  replacement  part  or  unit  (depending  on  service  contract)  will  be  dispatched,  if  necessary,  following  phone-based 
troubleshooting  in  advance  of  receipt  of  returned  defective  unit.  Service  may  be  provided  by  third-party  provider.  Subject  to  parts  availability,  geographical  restrictions  and  terms  of  service  contract.  Service  timing  dependent  upon 
time  of  day  call  placed  to  Dell.  Defective  unit  must  be  returned.  Replacements  may  be  refurbished.  U.S.  only.  Dell,  the  stylized  E  logo,  E-Value,  PowerEdge.  PowerConnect  and  PowerVault  are  trademarks  of  Dell  Inc.  Intel,  Intel 
Inside,  the  Intel  Inside  logo,  Intel  Xeon.  the  Intel  Xeon  logo ,  Pentium  and  Celeron  are  trademarks  or  registered  trademarks  of  Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries.  ©2003  Dell  Inc.  All  rights  reserved. 


GO 

Online  For 
Latest  Prices 
and  Weekly 
Promotions 


I 


SOFTWARE 

DEVELOPMENT 

Winner’s 
Circle  for 
Sale 

PROGRAMMING  CONTESTS  are  nothing 
new.  Give  a  dozen  coders  the  same  puzzle, 
and  you’ll  get  12  different  “best”  solutions. 
But  TopCoder  takes  the  idea  of  code  wars 
to  the  max,  arranging  global  online 
competitions,  onsite  contests  at  trade 
shows  and  world  championship  tourna¬ 
ments— hosted  at  MIT,  the  coder’s 
mecca— to  discover  the  best  program¬ 
mers  in  the  world.  And  now,  you  can  hire 
some  of  that  talent. 

TopCoder,  seeking  to  profit  from  its 
contestants'  prowess,  has  created  a  new 
division  called  TopCoder  Software  that  aims 
to  hire  out  teams  of  programmers  on  an 
outsourced  or  consulting  basis  to  large 
corporations.  Prospective  companies 
submit  project  proposals  to  TopCoder. 

Then,  TopCoder  posts  these  new  jobs  and 
picks  a  pair  of  the  highest-rated  respon¬ 
dents  to  compete  for  the  contract.  After 
TopCoder  reviews  the  work's  quality,  the 
programmer  with  the  best  code  gets  paid  a 
preset  amount;  the  runner-up  gets  half  that 
total.  TopCoder  project  managers  then 
integrate  the  winning  code  into  the  final 
product. 

TopCoder  promotes  a  component-based 
development  methodology  and  encourages 
its  developers  to  reuse  code  from  its 
dozens-deep  components  library.  (Outside 
companies’  programmers  can  rent  access 
to  this  collection  for  their  own  projects  for 
$1,200  per  programmer  per  year.)  The  goal 
is  to  reduce  programming  times  while 
maintaining  high  standards— and  cutting 
costs.  TopCoder  Software  President  Dave 
Tanacea  says  his  company  can  produce 
competitively  priced  software  at  a  rate  and 
quality  other  outsourcers— including  those 
overseas— will  be  hard-pressed  to  duplicate. 
“We  won’t  do  it  for  $28  an  hour,"  Tanacea 
says.  “But  we  can  do  it  for  $40.  And  how 
many  $28  hours  will  it  take  you  to  get  what 
you  want?”  -Christopher  Lindquist 


trendlines 


CRM  LICENSES 


Lots  of  Wares  on  the  Shelf 


Non-IT  Execs 
Buying  Software 

One  of  the  problems  is  that  CRM  soft¬ 
ware  is  still  being  purchased  by  non-IT 
executives  who  don’t  understand  what  the 
technology  does.  For  example,  at 
McKesson  Health  Solutions,  a  McKesson 
business  unit  that  sells  software  to  hospi¬ 
tals  and  insurers,  a  non-IT  executive  pur¬ 
chased  three  CRM  modules  in  May  2002 
from  Pivotal  because  of  the  discounts  that 
were  dangled  in  front  of  him.  But  only 
one  module — the  sales-force  automation 
(SFA)  piece — has  so  far  been  installed,  and 
even  that  app  is  still  not  being  fully 
employed  by  McKesson’s  sales  force, 
according  to  an  IT  manager  there. 

Sitting  on  the  shelf,  this  manager  says, 


needed  and  when — not  the  senior  execu¬ 
tives  who  don’t  even  use  the  technology. 

In  addition,  the  negotiators  (led  by  users 
and  in-house  IT  experts)  should  analyze  the 
benefits  of  buying  software  in  small  or  large 
packages.  CRM  expert  Beth  Eisenfeld,  lead 
author  of  the  Gartner  report,  says  a  good 
rule  of  thumb  is  to  limit  initial  purchases 
to  the  number  of  licenses  expected  to  be 
deployed  in  the  first  year  of  the  project. 
And  the  negotiators  can  build  clauses  into 
software  contracts  that  enable  the  company 
to  stop  paying  maintenance  fees  for  unused 
licenses  or  modules.  CRM  vendors  such  as 
Siebel  are  beginning  to  allow  pay-as-you-go 
or  subscription  model  contracts  with 
locked-in  discounts.  Sounds  better  than  sit¬ 
ting  on  a  shelf.  -Alison  Bass 


ONE  OF  I.T.’S  dirty  little  secrets  is  the  prob¬ 
lem  of  shelfware — not  using  software 
you’ve  paid  for.  And  the  latest  exhibit  of 
this  is  CRM,  according  to  a  recent  Gartner 
report.  That  study  found  that  of  the  CRM 
software  licenses  purchased  in  2002,  an 
embarrassing  42  percent  is  unused — at  an 
estimated  waste  of  $1  billion  to  $1.26  bil¬ 
lion  to  companies  that  purchased  the  soft¬ 
ware.  Given  that  the  entire  CRM  software 
revenue  forecast  for  all  of  2002  was  $3  bil¬ 
lion,  that’s  a  lot  of  money  to  be  throwing 
away  in  a  tight  IT  economy. 

So  who’s  responsible?  It’s  easy  to 
blame  the  vendors  because,  after  all, 
they  do  try  to  seduce  customers 
into  bulk  software  buying.  CRM 
vendors  often  offer  big  discounts  if 
a  company  will  bundle  a  number 
of  CRM  modules  together.  The 
pitch  is  convincing:  Buying  func¬ 
tionality  you  don’t  need  now  is 
cheaper  than  adding  it  on  later.  So 
it’s  no  wonder  that  so  many  compa¬ 
nies  take  the  bait. 

But  guess  what?  It’s  costlier  to  buy 
more  CRM  licenses  than  you  need 
initially,  the  Gartner  study  concludes, 
because  you  have  to  pay  maintenance 
fees  on  those  unused  licenses.  Yet  that 
fact  hasn’t  stopped  CRM  customers  from 
falling  into  this  trap. 


are  two  other  components:  a  business  intel¬ 
ligence  app  and  software  that  integrates 
the  SFA  app  with  Microsoft  Outlook  so 
that  sales  meetings  can  automatically  be 
entered  into  the  Outlook  calendar.  “We 
don’t  have  enough  resources  to  install  the 
other  two  components,”  he  says. 

The  cure?  First,  as  this  IT  manager 
astutely  notes,  the  people  who  use  the  app 
and  the  people  who  understand  it  should 
be  the  ones  who  decide  what  software  is 


CIO  OCTOBER  15,  2003 


www.cio.com 


ILLUSTRATION  BY  LEO  ESPINOSA 


Industry  experts  estimate  that  up  to  70%  of  network  downtime  is 
caused  by  failures  in  the  physical  layer,  driving  IT  managers  to 
spend  up  to  40%  of  their  time  tracking  down  the  problem  source. 

The  Pan  View  System  from  PANDUIT®  helps  businesses 
minimize  network  downtime  by  monitoring  physical  layer 
connections  in  real  time.  The  system  continuously  scans 
connections,  providing  100%  accurate  physical  layer 
information  to  Network  Administrators  and  immediately  notifies 
Network  Managers  of  any  changes  in  the  physical  layer. 

This  information,  coupled  with  the  PanView System’s  innovative 
LED-based  guided  patching  (based  on  field-proven  PatchView™ 
technology  from  RiT),  dramatically  improves  restoration  time  by 
quickly  and  efficiently  guiding  technicians  through  the  entire 
process. 


'PatchView  (or  the  Enterprise™  is  a  trademark  of  RiT  Technologies,  Ltd. 


at  Future ff£AOY  mM  panuuit 


Cisco  Systems 


Service  Provider 
Solution  Partner 


PANDUIT  is  the  Leading  Global  Provider 
of  Network  Connectivity  Solutions 

Innovative  Technology  for  Your  Copper 
and  Fiber  Infrastructure 

■  Modular  Twisted  Pair  Connectors 

■  Fiber  Optic  Connectors 
K  Zone  Cabling  Systems 
a  Outlets 

H  Network  Rack  Systems 
U  Physical  Layer  Management  Systems 

■  Raceway  Systems 

U  Fiber  Routing  Systems 

■  Network  Grounding  Systems 

■  Network  Cable  Ties  and  Accessories 

■  Network  Identification  Systems 

® 


Tinley  Park,  IL  60477-3091 

For  more  information  or  to  request  a  catalog 
800-777-3300 
cs@panduit.com 

www.panduit.com/pv05 


trendlines 


Off  the  Shelf 


Edited  by  Carol  Zarrow 


Old  Questions,  Fresh  Answers 

In  today’s  economy,  innovation  and  happiness  in  the  workplace  might  be 
viewed  as  completely  irrelevant  notions.  Here  are  two  books  that, 
refreshingly,  beg  to  differ. 


Dilemma  and  Solution 

The  Innovator’s  Solution:  Creating 
and  Sustaining  Successful  Growth 

By  Clayton  M.  Christensen  and 
Michael  E.  Raynor 

Harvard  Business  School  Press,  2003, 
$29.95 


of  sure  bets  and  predictable  outcomes.  In 
Solution ,  the  authors  focus  on  the  issues  that 
managers  must  consider  when  thinking  about 
how  to  grow  new  businesses,  and  thereby 
either  overtake  the  market  leaders  or  fend  off 
would-be  disrupters.  -Edward  Prewitt 


IT  WAS  ONLY  in  1997  that  this 
book’s  predecessor,  The  Inno¬ 
vator’s  Dilemma,  became  a 
best-seller  and  made  Clay 
Christensen  an  academic 
star — but  it  seems  like  an 
eon  ago.  And  in  a  sense, 
that  was  indeed  a  dif¬ 
ferent  age.  Innovation 
has  taken  a  backseat 
now  that  survival  is  the 
game.  It’s  therefore  unlikely  that  The 
Innovator’s  Solution  will  re-create  the 
splash  of  its  predecessor.  And  yet,  it’s  just 
possible  that  Christensen  and  his  coau¬ 
thor,  a  former  student  who  is  now  a 
Deloitte  consultant,  have  anticipated 
the  next  wave,  during  which  inter¬ 
est  in  innovation  will  revive. 

If  so,  this  book  addresses  an 
important  question  that  its 
precursor  left  maddeningly 
unanswered,  namely,  how  to 
innovate  successfully.  The 
authors  have  spent  several  years 
researching  what  they  call  “the  black 
box”  of  innovation.  They  found  that  inno¬ 
vation’s  key  is  the  process  by  which  organ¬ 
izations  shape  new  ideas  and  shepherd  them 
up  the  decision-making  line.  Dilemma 
demonstrated  that  companies  tend  to  reject 
disruptive  ideas — those  that  don’t  appeal  to 
established  customers  or  markets — in  favor 


The  Pursuit  of 
Happiness 

The  Art  of  Happiness  at  Work 

By  His  Holiness  the  Dalai  Lama 
and  Howard  C.  Cutler 
River  head  Books,  2003, 

$24.95 

SINCE  WE  SPEND  so  much  of  our  time  at 
work,  it’s  only  natural  that  we  strive  for  bal¬ 
ance  between  the  hours  of  9  and  5.  In  The 
Art  of  Happiness  at  Work,  psychiatrist 
Howard  Cutler  presents  the  unique  per¬ 
spective  of  Tenzin  Gyatso,  His 
Holiness  the  Four¬ 
teenth  Dalai  Lama,  on 
the  interface — or  clash — 
of  work  and  personal 
happiness.  The  1998  col¬ 
laboration  between  Cutler 
and  the  Dalai  Lama,  The 
Art  of  Happiness:  A  Hand¬ 
book  for  Living,  was  a  more 
general  look  at  how  people 
can  approach  all  of  life’s  chal¬ 
lenges.  This  follow-up  book 


Learn  More  About  New  Books 


Looking  for  a  book  review  or  excerpt  you  saw 
in  a  past  issue  of  C/0?  Visit  our  online 

READING  ROOM  at  www.cio.com/books. 

cio.com 


CIO  Best-Seller  List 


The  21  Irrefutable  Laws 
of  Leadership:  Follow  Them  and 
People  Will  Follow  You 

By  John  C.  Maxwell 
Thomas  Nelson,  1998 


Fis 

J  Mc 

By 


ish!  A  Remarkable  Way  to  Boost 
orale  and  Improve  Results 
Stephen  C.  Lundin,  Harry  Paul 
and  John  Christensen 
Hyperion  Press,  2000 


Now,  Discover  Your  Strengths:  The 
Revolutionary  Program  That  Shows 
You  How  to  Develop  Your  Unique 
Talents  and  Strengths— And  Those  of 
the  People  You  Manage 
By  Marcus  Buckingham 
and  Donald  0.  Clifton 
The  Free  Press,  2001 


2 
■  E 


xecution:  The  Discipline  of  Getting 
hings  Done 

y  Larry  Bossidy  and  Ram  Charan 
rown  Publishing  Group,  2002 


Good  to  Great:  Why  Some 
Companies  Make  the  Leap... 
and  Others  Don’t 

By  Jim  Collins 

HarperCollins  Publishers,  2001 

SOURCE:  Sept.  4.  2003,  data,  compiled  by  Borders 
Group,  Ann  Arbor,  Mich. 


deals  exclusively  with  the  topic  of  work. 
Ultimately,  the  Dalai  Lama’s  approach  to 
happiness  at  work,  which  is  explained  in  a 
series  of  conversations  with  Cutler,  is  much 
like  his  approach  to  happiness  and  fulfill¬ 
ment  in  life.  Acting  with  kindness  and  com¬ 
passion  in  everything  we  do  and  doing  what 
we  can  to  help  others — those  are  the  cor¬ 
nerstones  of  the  art  of  happiness,  both  in 
life  and  in  work.  -Lafe  Low 


CIO  OCTOBER  15,  2003 


www.cio.com 


Enterprise  Intelligence  |  Supplier  Intelligence  |  Organizational  Intelligence  |  Customer  intelligence  |  Intelligence  Architecture 


Build  a  scalable 
data  warehouse 
with  a  single 
point  of  control. 


SAS®  provides  a  high-impact,  low-risk  way  to 
achieve  intelligent  data  warehousing.  You  can 
extract,  transform  and  load  data  from  any  source, 
across  any  platform,  while  assuring  quality.  Simplify 
the  way  you  create  and  customize  reports.  And 
deliver  a  shared  version  of  the  truth.  To  find  out 
how  top  companies  reap  bottom-line  rewards 
with  SAS  software -by  leveraging  the  value  of 
data  from  corporate  systems,  e-business  channels, 
the  supply  chain  and  beyond -visit  us  on  the  Web 
or  call  toll  free  1  866  270  5727. 

www.sas.com/warehouse 


The  Power  to  Know® 


SAS  and  all  other  SAS  Institute  Inc.  product  or  service  names  are  registered  trademarks  or  trademarks  of  SAS  Institute  Inc.  in  the  USA  and  other  countries.  ®  indicates  USA  registration. 
©  2003  SAS  Institute  Inc.  All  rights  reserved.  232130US.0503 


LEADERSHIP 


trendlines 

It  Really  Is  Different  at  the  Top 


A  one-time  CIO,  now  CEO,  learns 
how  to  act  in  the  top  spot— and  when 
to  stop  an  IT  project 

ON  AUG.  1,  2002,  when  Christopher  Lofgren  reported  to  work  at 
Schneider  National  in  his  new  position  as  president  and  CEO,  he 
didn’t  feel  any  smarter  or  any  more  powerful  than  he  had  felt  in  his 
previous  roles  as  COO  and  CIO  with  the  transportation  and  logis¬ 
tics  company. 

Yet,  he  had  changed — immediately — in  the  minds  of  his  col¬ 
leagues  who  had  seen  him  come  of  age  at  the  Green  Bay,  Wis.- 
based  company  (see  box).  Suddenly,  everyone  from  the  receptionist 
to  the  CFO  was  reading  into  Lofgren’s  every  word  and  action, 
looking  for  hidden  meaning,  as  if  each  frown  and  furrowed  brow 
were  biblical  signs.  It  was  an  outcome  that  Lofgren  had  never 
anticipated  but  turned  out  to  be  a  valuable  leadership  lesson  from 
his  first  year  as  CEO:  He’s  had  to  raise  his  awareness  of  how  peo¬ 
ple  perceive  him  and  to  adapt  to  being  in  the  spotlight,  nonstop. 

“You  look  at  the  [CEO]  job  when  you  don’t  have  it  but  oper¬ 
ate  close  enough  to  it,  and  you  think  you  understand  it  and  what’s 
going  to  be  required  of  you  when  you  move  into  it.  In  general, 
what  you  think  is  true.  But  all  these  subtleties  of  the  role  that  you 
couldn’t  predict  surface  when  you  actually  step  into  it,”  he  says. 

Lofgren  says  he  has  also  had  to  adjust  to  the  inherent  differ¬ 
ences  between  the  tactical,  short-term  obsessed  COO  role  and  the 
strategic,  long-term  focused  CEO  post. 

As  COO,  Lofgren’s  job  was  to  push  people  to  do  their  best 
work.  While  he  still  does  this  as  CEO,  he  has  learned  to  know 
when  to  be  demanding.  For  example,  during  one  meeting  of  the 
company’s  top  executives,  Lofgren  was  dissatisfied  with  the  level  of 
discussion  and  was  trying  to  advance  it.  His  demands  for  a  more 
pointed  discussion,  however,  shut  down  the  conversation  entirely. 
He  understood  people  could  tell  he  was  unhappy  with  the  meeting. 
Afterward,  he  realized  that  he  should 
have  let  the  conversation  run  its  course 
rather  than  force  a  change. 

“You  want  [as  CEO]  to  create  an 
environment  where  everyone  is  engaged 
in  discussions.  To  the  extent  that  you 
express  your  unhappiness,  you  can  shut 
them  down,”  he  says. 

Lofgren  has  also  learned  that  IT  is  even 
more  important  and  more  strategic  than 
he  ever  thought — even  when  he  was  chief 
information  and  logistics  officer.  That  is 
not  to  say,  however,  that  he’s  a  pushover 
for  IT  investments.  Lofgren  says  as  CEO 
he’s  more  demanding  of  the  analysis  that 
goes  into  business  cases  for  IT  investments 
and  of  the  returns  expected  from  them. 

For  example,  Lofgren  says  he  put  the 
brakes  on  an  implementation  of  an 


Christopher  Lofgren,  former  CIO  and  now  CEO  of 
Schneider  National,  avoids  dominating  meetings  so 
that  others  feel  comfortable  expressing  their  views. 


imaging  system  that  used  optical  character  recognition  technol¬ 
ogy  to  turn  paper-based  information  into  electronic  data.  The 
system  won  approval  because  it  would  improve  productivity;  but 
when  Lofgren  learned  the  character  recognition  levels  weren’t 
high  enough  to  yield  the  expected  benefits,  he  stopped  further 
spending  on  the  project.  Schneider  National  found  a  different 
use  for  the  system,  though,  so  it  wasn’t  a  complete  waste  of 
money,  he  says. 

In  another  case,  Lofgren  says  he  gave  the  green  light  to  a  “very, 

very  large  capital  investment”  in  a  system 
that  will  enable  the  company  to  track  its 
untethered  trailers.  T  hese  expensive  trail¬ 
ers,  which  are  very  important  assets, 
move  around  the  supply  chain  from 
Schneider’s  locations  to  customer  loca¬ 
tions  and  to  locations  of  Schneider’s  cus¬ 
tomers’  customers.  If  Schneider  knows 
where  these  trailers  are  and  whether 
they’re  full  or  empty,  it  can  put  these 
assets  to  better  and  more  efficient  use. 

“IT  has  to  posidon  us  long  term  in  our 
strategies.  I  see  it  as  a  capital  expenditure 
that  has  to  generate  a  return,  and  that 
return  has  to  be  pretty  quantifiable.  The 
CEO’s  seat  is  all  about  how  you  manage 
capital,”  he  says.  Both  IT  assets  and  hu¬ 
man  capital,  it  turns  out. 

-Meridith  Levinson 


Christopher  Lofgren’s  Resume 

Job  since  August  2002:  President  and  CEO, 
Schneider  National,  Green  Bay,  Wis. 

2000-2002:  COO,  Schneider  National 

1999-2000:  CIO  and  Chief  Logistics  Officer, 

Schneider  National 

1996-1999:  CTO,  Schneider  National 

1994-1996:  Vice  President  of  Engineering  and 

Systems,  Schneider  National 

1991-1994:  Director  of  Engineering/ Acting  General 

Manager,  Symantec 

Education: 

BS  and  MS  in  Industrial  and  Management  Engi¬ 
neering,  Montana  State  University,  Bozeman, 
Mont.;  Doctorate  in  Industrial  and  Systems  Engi¬ 
neering,  Georgia  Institute  of  Technology,  Atlanta 


i* 


CIO  OCTOBER  15,  2003 


www.cio.com 


PHOTO  BY  MICHAEL  LESCHINSIN 


That’s  DigitAH  vision. 

ffM  I  How  has  Bank  One  become  a  leader  in 

DJ+mmmK. s:\JmmEm'  I  banking  while  showing  its  nearly  500,000 
small  business  clients  the  path  to  a  bigger,  brighter  future?  With 
unparalleled  vision  and  absolute  clarity.  That’s  why  Bank  One  chooses 
Samsung  —  the  world’s  leading  manufacturer  of  TFT- LCD  displays. 
And  now  Samsung’s  commitment  to  the  big  picture  continues  with  the 
innovative  display  technology  found  in  the  SyncMaster  192T,  giving 
you  the  opportunity  to  visualize  a  future  just  as  bright. 


®  Super-bright,  razor-sharp  . . . 

19"  analog/digital  TFT/PVA  display 

•  Unique  dual-hinge  base  allows 

up  to  90°  tilt  for  optimal  ergonomics 

•  1280  x  1024,  Xtrawide™  1707170° 
viewing  angle,  VESA®  wall-mountable  base 

•  World’s  leading  manufacturer  of 
TFT-LCD  displays 


—•Visit  www.samsungusa.com 

©2003  Samsung  Electronics  America,  Inc.  Screen  images  are  simulated. 


fyrmtmmmm  ■  ; f , 

iwifWfcf  <•♦-.*-*  u«  •  i  ♦wnflVRi! 

3».  ;  *  iftlGlftitt 


Thinner  1 
Designs: 

Power  efficiency 
allows  for  smaller 
cooling  systems 
and  lighter 
notebooks.  , 


r  High 
Performance: 

Extremely 
responsive  to  the 
most  demanding 
business 
applications. 


Longer 
Battery  Life 

Power-conserving 
technology 
enables  extended 
battery  life. 


The  Unwired  Office 

starts  here. 


The  promise  of  a  truly  wireless  workforce 
is  being  fulfilled.  Because  Inter  Centrino"  mobile 
technology  delivers  unprecedented  levels  of 
mobility  for  your  users  and  easier  deployment 
for  you.  Intel  is  working  with  other  industry 
leaders  to  make  wireless  networking  not  only 
reliable,  but  secure.  And  Intel  continues  to 
work  closely  with  Cisco  to  extend  Intel  Centrino 
mobile  technology’s  ability  to  support 
enhanced  wireless  security  protocols*  Now 
you  can  do  something  the  whole  office 
will  thank  you  for.  Unwire.  For  all  the  details, 
go  to  intel.com/unwire. 


intel 


©2003  Intel  Corporation.  Intel.  Intel  Inside  and  the  Intel  Centrino  logo  are  trademarks  or  registered  trademarks  of  Intel  Corporation  or  its  subsidiaries  in  the  United  States 
and  other  countries.  Other  names  and  brands  may  be  claimed  as  the  property  of  others.  All  rights  reserved.  System  performance,  battery  life,  wireless 
performance  and  functionality  will  vary  depending  on  your  specific  hardware  and  software  configurations.  See  http://www.intel.com/products  centrino  more Jnfo 
for  more  information.  'Some  security  solutions  may  not  be  supported  by  your  PC  manufacturer.  Check  with  your  PC  manufacturer  for  details  on  availability. 


Editor’s  note:  Our  online 
community  of  IT  executive 
members  meets  often  to 
trade  tips,  tactics  and  best 
practices.  In  this  monthly 
Exchange  column,  we  will 
showcase  some  of  their 
ideas  and  experiences, 
along  with  what’s  top  of 
mind  and  what’s  not.  To 
learn  more,  visit 
exchange.cio.com. 


Portfolio  Management: 

Dos  and  Don’ts 

There’s  a  nagging  question  that  lurks  within  the  consciousness  of 
most  CIOs:  How  do  I  know  I’m  working  on  the  right  projects? 


PORTFOLIO  MANAGEMENT,  a  method  of  aligning  IT  with  business  goals  by  prioritizing  IT  proj¬ 
ects  as  you  would  a  financial  portfolio,  can  provide  answers  to  that  question.  However,  like  most 
ideas  in  IT,  portfolio  management  sounds  great  in  concept  but  is  tough  in  execution.  “Portfolio 
management  is  like  Olympic  mud  wrestling,”  says  Dave  Clarke,  VP  of  enterprise  technology 
services  at  the  American  Red  Cross,  who  has  10  years’  experience  managing  portfolios  at 
W.L.  Gore  &  Associates  and  General  Motors.  “It’s  nasty,  difficult  and  high-spirited  even  in  the 
nicest  of  organizations.  But  it’s  well  worth  it  in  the  end,  for  the  discipline  and  clarity  it  can  produce.  ” 
Going  on  the  theory  that  it  is  better  to  learn  from  someone  else’s  mistakes  than  to  make  your 
own,  we  asked  CIO  Best  Practice  Exchange  members  to  share  lessons  learned  from  the  front  lines 
of  portfolio  management. 


TOPof  MiND 


THE  COMMUNITY  HAS  BEEN 
JAWING  ABOUT... 


Six  Sigma  in  IT:  When  can  I  start? 
IT  audits:  A  necessary  evil 
Utility  computing:  Yawn 
VoIP:  Ready  for  prime  time? 


Maintenance  fees:  The  horror! 


YESTERDAY'S  NEWS 


Using  published  IT  headcount 
benchmarks  as  a  basis  for  hiring: 

Don’t  bother! 


1  Start  simple.  The  more  features  the  better; 

right?  Not  necessarily,  says  Jeff  Chasney, 
executive  VP  and  CIO  of  CKE  Restaurants. 
“Don’t  look  for  a  fancy  portfolio  management 
system  with  lots  of  bells  and  whistles.  Spread¬ 
sheets  work  great.” 

Be  willing  to  cancel  projects.  “Constantly 
review  the  merit  and  utility  of  your  proj¬ 
ects  based  on  current  information,”  says  Chas¬ 
ney.  “Just  because  a  project  is  placed  on  a 
docket  doesn’t  mean  that  its  efficacy  remains 
constant  across  time.” 

Make  sure  your  portfolio  indicates  which 
investments  did  not  make  the  cut.“The 
chief  value  of  a  portfolio  is  that  it  represents 
critical  decisions  about  investments,”  says 


American  Red  Cross’s  Clarke.  “The  portfolio 
should  clearly  show  what  is  currently  approved 
for  spending  and  what  is  not,  but  might  be  at  a 
later  date.” 

Have  a  rational  and  transparent  priori¬ 
tization  scheme.  At  GM,  Clarke  used  one 
that  looked  something  like  this: 

A.  Mandatory  or  legal 

B.  Fix  major  operational  risk  areas 

C.  Major  strategic  projects  (note  that  this  is 
third  on  the  list!) 

D.  Projects  with  significant  business  returns 

E.  Nice  to  have 

In  addition,  a  time  line  is  a  smart  way  to  pri¬ 
oritize  your  projects.  “If  you  compare  all  proj¬ 
ects  on  a  common  time  line  horizon,”  says 


CIO  OCTOBER  15,  2003  •  www.cio.com 


"I  had  Teriyaki  for  dinner  last  night. 
Check  the  fridge  for  leftovers. " 


"Action  overnight  on  Nikkei  exchange. 
Meeting  this  morning  on  Asian  opportunities. 


Every  message  is  important.  But  some  are  essential.  When  your  message  is  mission  critical,  there's  SkyTel. 
Unlike  the  hit-and-miss  world  of  cell  phones,  with  SkyTel,  message  delivery  is  guaranteed.  For  information 
regarding  the  high  reliability  of  SkyTel  messaging,  visit  skytel.com/go  or  call  1.800.792.2238.  Assuming,  of 
course,  that  your  cell  phone  is  in  the  right  coverage  area. 


SKYTEL 


theExchange 


PEERCOUNSEL 


Wireless 

Communications 

Policy 


Q:  As  our  organization  has 
grown,  our  number  of  cell 
phones  has  grown  sixfold, 
O  and  our  usage  is  skyrock¬ 
eting.  Now  the  CEO  wants  Black- 
Berry  devices.  Before  we  move 
ahead,  I  feel  the  organization 
needs  a  wireless  communications 
policy  to  govern  the  use  of  these 
and  future  devices.  Does  anyone 
have  insight  on  this  subject? 

-VP  AND  CIO  OF  AN  ASSISTED 
LIVING  FACILITY 


VA:  We  insist  that  all  metered 
wireless  devices  are  pur¬ 
chased  and  administered  by 
O  IT  but  paid  for  by  the  request¬ 
ing  cost-center  owner.  IT  sets 
standards,  negotiates  rates  and 
ensures  folks  are  on  the  right 
plans.  (We  even  provide  guidelines 
for  use.)  But  the  business  pays  for 
the  cost  of  the  devices  and  the 
monthly  fees.  We  have  a  device¬ 
request  process  that  includes 
cost-center  owner  approval  of  any 
request.  This  approach  allows  us 
to  manage  the  contracts  and  stan¬ 
dards  but  puts  the  onus  on  the 
business  to  manage  proliferation 
by  making  them  accountable  for 
managing  cost. 

-ROBERT  URWILER,  VP  AND  CIO 
OF  MACROMEDIA 


More  on  Portfolio  and 
Project  Management 


Read  Portfolio  Management: 

How  to  Do  It  Right,  and  learn  from 
some  portfolio  management  masters. 
For  further  details  on  project  manage¬ 
ment  offices,  read  Office  Discipline: 
Why  You  Need  a  Project  Management 
Office.  Both  can  be  found  at 
www.cio.com/printlinks 

cio.com 


CIO  OCTOBER  15,  2003 


CKE’s  Chasney,  “you  can  determine  how  much 
is  gained  by  each  project  and  when  you  will  begin 
to  realize  the  gains.  You  then  compare  the  gain 
amount  and  time  line  against  your  company’s 
financial  objectives  to  develop  a  reasonable 
course.” 

Set  a  corporate  strategy— and  incentivize  oth¬ 
ers  to  stay  the  course.  Dade  Behring,  a  med¬ 
ical  device  company,  focuses  on  “just  a  handful 
of  initiatives,”  says  CIO  David  Edelstein.  “The 
company’s  IT  governance  council  succeeds,”  he 
says,  because  “each  member  of  the  executive 
leadership  team  works  hard  to  ensure  our  respec¬ 
tive  organizations  are  supporting  these  initia¬ 
tives.  Everyone’s  individual  performance 
objectives,  from  the  CEO  to  the  guy  on  the  shop 
floor,  are  explicitly  linked  to  one  or  more  of  the 
company  initiatives.  It  becomes  relatively  easy 
to  link  IT  investments  to  the  company  initiatives 
because  everyone  is  moving  in  the  same 
direction.” 

Ensure  the  IT  staff  does  more  than  just 
speak  for  IT.  Portfolio  management  relies 
on  a  strong  partnership  between  the  business  and 
IT — at  all  levels.  “IT  workers  should  be  active 
members  of  several  functional  leadership  teams 


in  the  company,  and  they  should  have  leadership 
roles  on  the  business-related  tasks  of  importance 
to  those  teams,”  says  Edelstein. 

CANT  GET  STARTED? 

If  you’re  having  a  tough  time  getting  portfolio 
management  off  the  ground,  these  next  two  tips 
are  for  you. 

Find  the  pain,  and  focus  on  it.  When  building 
the  business  case  for  your  portfolio  management 
implementation,  begin  where  the  organization  is 
hurting  the  most,  suggests  Ron  Kifer,  VP  of  pro¬ 
gram  and  solutions  management  at  DHL  World¬ 
wide  Express.  “Use  industry  case  studies  to 
identify  business  benefits  and  then  quantify  those 
benefits  against  your  organization’s  current  situ¬ 
ation,”  he  advises. 

Don’t  go  it  alone.  Use  gurus,  enterprise  leaders 
and  senior-level  colleagues  to  support  your  busi¬ 
ness  case,  notes  Kifer.  “Do  not  rely  solely  on  your 
own  influence  and  credibility  within  the  organi¬ 
zation  to  sell  portfolio  management,”  he  says. 
“Cite  examples  of  success  in  other  organizations 
and,  if  possible,  bring  in  an  acknowledged  leader 
in  the  field  to  support  your  position  in  a  formal 
presentation  to  your  senior  leadership.” 


EXPERIENCE  BASE 

Setting  Up  a  Project  Management  Office 

Jack  B.  Ott,  VP  of  IT  and  CIO  at  Allianz  Canada, 
talks  about  what  works 


“Our  first  attempt  at  starting  a  PMO  [project  management  office]  ended  in 
failure.  We  underestimated  the  training  aspect.  All  the  handbooks  and  tem¬ 
plates  in  the  world  are  not  much  use  if  project  leaders  do  not  know  how  to 
apply  them.  But  since  then,  we  have  been  able  to  establish  an  effective  PMO 
function.  There  is  no  set  formula  for  success,  but  if  I  could  give  just  one  piece 
of  advice,  it  would  be  this:  Get  control  of  the  project  initiation  process  before 
you  do  anything  else. 

"In  most  PMO-less  companies,  projects  start  up  all  over  the  place,  and  for  the  strangest  rea¬ 
sons.  The  inbound  queue  is  always  full  beyond  capacity,  and  any  attempt  to  get  discipline  around 
project  execution  is  doomed.  (Some  of  you  may  remember  the  /  Love  Lucy  episode  where  Lucy 
and  Ethel  are  working  on  the  cookie  assembly  line.  It  keeps  going  faster  and  faster  as  quality  of 
execution  goes  downhill.) 

“To  start  the  PMO  you  need  to  get  control  of  what  you  do  before  you  can  start  improving  how 
you  do  it.  We  started  with  a  simple  Project  Planning  Pipeline  report  that  categorized  projects 
into  Active,  Next  to  Start  and  Proposed.  With  a  few  simple  rules  around  how  to  'activate'  a  pro¬ 
ject,  our  customers  quickly  got  used  to  the  fact  that  we  are  doing  fewer  concurrent  projects,  but 
we  were  going  to  execute  them  well.  This  set  the  stage  for  adding  project  management  method¬ 
ologies,  training,  tools,  support  and  all  the  good  things  that  PMOs  do  to  improve  execution." 


www.cio.com 


1  IlMp  ; 


STOP  THE 


Christopher  Hoenig  I  Total  Leadership 


The  Citizen 

CIO 

What  you  can  do  for  your  country 

THE  TOTAL  LEADERSHIP  COLUMN  is  about  the  search  for  a  full  under¬ 
standing  of  leadership,  in  all  its  dimensions.  But  I  think  we’ve 
largely  overlooked  something  important.  For  years,  we  have 
written  about  leadership  as  executives,  in  the  context  of  organ¬ 
izations,  industries  and  different  sectors.  We  have  missed  an 
exploration  of  leadership  as  citizens,  in  the  context  of  the  neigh¬ 
borhoods,  cities,  states  and  nations  in  which  we  live. 

Democracy  in  the  information  age  is  still  working  through  an 
array  of  issues  that  are  simultaneously  threatening,  confusing 
and  enticing.  These  range  from  property  rights,  privacy  and  secu¬ 
rity  to  the  need  for  improved  public  information,  delivery  of  gov¬ 
ernment  services  and  enhancement  of  our  democratic  processes. 

These  challenges  and  opportunities  will  not  be  met  without 
the  leadership  of  those  who  understand  how  information  is 
collected,  managed,  distributed  and  used.  The  contribution  of 
CIOs  in  formal  government  positions  will  be  necessary  but  not 
sufficient.  Many  different  types  of  CIOs,  as  citizens,  must  be 
involved.  The  leadership  challenge  is  for  CIOs  across  the  nation 
to  find  new  ways  to  pool  their  collective  talents  and  help  pro¬ 
tect  our  democracy. 

5  CIO  OCTOBER  15,  2003  •  www. cio.com 


Democracy  in  the  Information  Age 

Since  the  birth  of  democratic  republics,  principles  and  assumptions 
have  been  present  about  the  role  of  knowledge  and  information — 
from  protecting  freedom  of  speech  and  patent  law  to  the  require¬ 
ments  for  heads  of  state  to  provide  reports  to  the  legislature. 
George  Washington,  in  his  first  annual  message  to  Congress  on 
Jan.  8,  1790,  said,  “Knowledge  is,  in  every  country,  the  surest 
basis  of  public  happiness.  In  one  in  which  the  measures  of  gov¬ 
ernment  receive  their  impression  so  immediately  from  the  sense  of 
the  community  as  in  ours,  it  is  proportionably  essential.” 

In  the  first  half  of  the  20th  century,  the  advent  of  large-scale, 
rapid  communication  of  symbols,  voice  and  images  (that  is, 
telephone,  radio  and  TV)  brought  new  roles  and  impacts  of 
information  in  a  democracy.  Similarly,  it  was  in  the  first  half  of 
the  last  century  that  the  foundations  for  information  about  our 
economy  and  our  people  were  developed. 


ILLUSTRATION  BY  ANTHONY  FREDA 


Trust 


the  color  printer 


in  the  Pentagon 


OKI’s  Full  Line  of  Color  Printers — Built  for  All  Your  Business  Demands 


Trust  Earned  One  Success  at  a  Time. 

The  Pentagon  needs  color  printers  to  provide  thousands  of  full-color 
documents  they  demand  for  top  performance.  They  rely  on  OKI  color 
printers  because  OKI  has  been  making  award-winning  printers  for  30 
years.  With  a  new  full  line  of  color  printers  featuring  OKI’s  Single 
Pass  Color™  technology,  OKI  can  supply  your  business  with 
thousands  of  essential  color  documents. 


Trust  OKI’s  Proven  Customer  Satisfaction. 

Successful  professionals  like  you  continue  to  count  on  the 
award-winning  leader  in  color  printers  for: 

•  Web  site  and  live  customer  service,  24/7. 

•  High  “try  and  buy”  rating — 7  out  of  every  10  businesses  who  try 
an  OKI,  buy  OKI  color  printers. 


Use  OKI  color  printers  to  print  high-quality  color  reports, 
presentations  and  more  with  industry-leading  performance  and 
increased  cost-efficiency.  Features  include: 

•  High-speed  output  up  to  30  ppm  color,  37  ppm  mono — 1  st  color 
page  out  in  1 1 .5  seconds1. 

•  Low  total  cost  of  ownership2:  up  to  35%  lower  than  competitive 
color  laser  printers. 

•  Clear,  crisp  color  images  up  to  1200  x  1200  dpi. 


Better  Buys 
for  Business 


C9300/C9500 

January  2003 


C7300n 

C9500dxn 

April  2003 


PC  WORLD 


Best 

BUY 


C7300n 

April  2003 


For  more  information,  call 
1-866-OKI-COLOR,  or  visit 
www.okidata.com/business 


C7000 

Series 


C9000 

Series 


NEW 

C5000 

Series 

‘V*. 

\ 

I 


Out  fit  ©  hAh 


OKI 


Designed  to  Perform  in  the  Most  Demanding  Environments. 


PROVEN. 


©  2003  Oki  Data  Americas,  Inc.  OKI,  Reg.  T.M.,  Oki  Electric  Industry  Co.,  Ltd.,  Single  Pass  Color  and  Design,  Reg.  T.M.  Oki  Data  Corporation.  Better  Buys  tor  Business  Editor's  Choice  2003  award  applies  to  the  C9300  Series  and  C9500dxn  OKI  color  pnnters. 
’Time  to  first  page  11.5  seconds  color,  1 0  seconds  mono.  Total  Cost  of  Ownership  (TC0)  claim  based  on  2,000  pages  per  month  (1 00  pages  per  day).  For  further  information,  visit  www.okidata.com/business. 


Christopher  Hoenig  I  Total  Leadership 


Advancements  in  the  20th  century’s  second  half  brought 
forth  the  notion  of  cyberspace,  a  term  that  attempted  to  capture 
the  richness  and  scope  of  societal  potential  arising  from  the 
combined  impact  of  computing  and  communications  tech¬ 
nologies.  We  have  seen  an  exponential  increase  in  the  effect  of 


True  leadership  means  helping  your  fellow  citizens 
govern  themselves  more  effectively. 


information  on  our  society:  computer  models  of  human  organs 
and  the  earth’s  climate;  information  assets  like  the  human 
genome;  navigational  systems  such  as  GPS;  global  systems  gov¬ 
erning  markets,  finance  and  supply  chains;  the  World  Wide 
Web;  and  continuous  advances  in  artificial  intelligence. 

The  CIO’s  Contribution 

The  creation  of  the  CIO  position,  and  its  ancillary  positions  of 
CKO,  CTO  and  CLO,  have  all  coincided  with  this  era  of  expo¬ 


nential  advancement.  Someone  had  to  take  leadership  on  such  a 
multifaceted  set  of  issues  and  opportunities.  After  decades  of  sys¬ 
tematically  dealing  with  these  challenges,  CIOs  have  gained  expe¬ 
rience  and  judgment  that  is  a  vital — but  hidden — national  asset. 
CIOs  know  much  about  what  is  possible  and  what  is  not.  They 

know  how  to  realize  these  possibilities 
and  the  high  risks  of  failure.  They  know 
what  talents  are  required  to  build  a  con¬ 
tinually  evolving  systems  organization. 

In  short,  CIOs  have  developed  organ¬ 
ized  approaches  to  getting  the  right 
information  and  technology  assets  that 
will  produce  the  maximum  impact  on 
the  goals  and  aspirations  of  the  organizations  they  help  lead. 
These  approaches  are  needed  not  just  in  businesses  and  non¬ 
profits,  but  also  in  cities,  states  and  the  nation  as  a  whole.  And 
in  these  latter  cases,  many  different  types  of  CIOs  must  work 
together  as  citizens  to  understand  what  is  possible,  what  is 
required  and  how  to  make  it  happen.  For  example,  the  U.S. 
national  cybersecurity  strategy,  which  was  developed  after  9/11, 
can  never  be  implemented  without  wholly  new  forms  of  col¬ 
laboration  within  the  CIO  community. 


I  AM  A  CISCO  1200  SERIES  DUAL 
BAND  WI-FI  ACCESS  POINT 


PHOTO  BY  KATHERINE  LAMBERT 


Millions  will  volunteer  for  the  great  national  challenges,  such 
as  fighting  a  war.  But  the  enterprise  of  designing  and  building  a 
knowledge  and  information  architecture  for  a  21st-century 
democracy  is  no  less  necessary,  even  though  it  may  be  less  vis¬ 
ible  and  produce  fewer  novels  and  movies.  The  CIO  community 
needs  to  discover  its  members  who  are  already  contributing  to 
these  great  human  enterprises  and  follow  their  lead  as  they 
weave  knowledge,  learning,  technology  and  information  into  the 
democratic  fabrics  of  understanding,  wisdom  and  judgment. 

The  Leadership  Challenge 

The  leadership  challenge  for  CIOs,  as  citizens,  is  to  help  bring 
to  their  fellow  citizens  the  quality  of  information,  systems,  tech¬ 
nology,  learning  and  knowledge  that  CIOs  bring  to  their  com¬ 
panies.  This  involves  much  more  than  e-government,  which  is 
about  helping  citizens  interface  with  government.  It  involves 
something  more  akin  to  “e-governance” — helping  citizens 
more  effectively  govern  themselves  in  a  new  century. 

The  key  to  taking  up  this  challenge  is  a  change  in  mind-set: 
from  supplying  customers  to  serving  fellow  citizens,  from  imple¬ 
menting  requirements  to  defining  possibilities,  from  competition 
in  the  marketplace  to  collaboration  in  the  public  arena.  Only  if 


more  members  of  the  CIO  community  bring  their  skills  to  bear 
will  our  democracy  thrive  in  the  information  age. 

In  the  course  of  my  career,  I  have  done  three  tours  in  private- 
sector  organizations  and  two  tours  as  a  public  servant.  As  I 
reflect  on  the  lessons  I’ve  learned  and  applied,  the  most  pow¬ 
erful  ones  actually  come  from  the  most  exemplary  citizen  I 
know:  my  father.  As  a  concerned  member  of  his  community,  he 
showed  leadership  and  a  commitment  to  progress  that  tran¬ 
scended  and  enhanced  his  roles  as  father  and  employee. 

Achieving  “total  leadership”  is  not  just  about  understanding 
leadership  practices,  absorbing  tips  and  techniques  and  discover¬ 
ing  role  models.  The  true  mark  of  total  leadership  is  being  a  whole 
person.  Only  when  we  lead  as  citizens,  not  just  as  executives, 
does  the  full  power  of  leadership  come  within  our  grasp,  rara 


Send  your  comments  to  teadership@cio.com.  Christopher  Hoenig  is  a 
director  of  strategic  issues  for  the  U.S.  General 
Accounting  Office  and  has  been  an  entrepreneur 
(CEO  of  Exolve),  consultant  (McKinsey  &  Co.)  and 
inventor;  and  he  is  the  author  of  The  Problem  Solving 
Journey:  Your  Guide  for  Making  Decisions  and  Get¬ 
ting  Results. 


I  AM  70  MORE  MINUTES  OF 
PRODUCTIVITY  PER  EMPLOYEE 
PER  DAY 

I  AM  A  CISCO  WIRELESS  NETWORK.  I  HAVE  THE  POWER  TO  CONNECT  EMPLOYEES  TO  VITAL  DATA  WHEREVER 
THEY  ARE.  AND  DO  IT  SECURELY.  THAT  SAVES  TIME.  THAT  SAVES  MONEY.  THAT  IS  POWERFUL.  I  AM  MORE 
THAN  A  CISCO  1200  SERIES  DUAL  BAND  WI-FI  ACCESS  POINT. 


'62003  Cisco  Systems,  Inc.  All  rights  reserved.  Cisco  Aironet,  Cisco  Systems  and  the  Cisco  Systems  logo  are  regi: 
in  the  U.S.  and  certain  other  countries. 


cisco.com/mobilitynow 


i  trademarks  or  trader 


Michael  Schrage  I  Making  IT  Work 


It's  All  About  the  Execution 


Lies,  Damned 

lies  and 
Requirements 

The  road  to  applications  development  hell 
is  paved  with  rigid  code  requirements 


AS  THE  CYNICAL  SAYING  GOES,  There  are  lies,  damned  lies  and  sta¬ 
tistics.  Alas,  responsible  CIOs  have  to  manage  an  even  greater 
deception  than  statistics:  requirements. 

Requirements  are  the  bane  of  cost-effective  software  devel¬ 
opment  and  deployment.  I’ve  personally  witnessed  far  more 
money  wasted  in  the  creation  of  bad  requirements  than  I’ve 
ever  seen  thrown  away  by  bad  coding  or  testing.  (Gosh,  where 
do  we  think  so  much  bad  coding  and  testing  comes  from?)  We 
know  companies  always  complain  about  the  costs  and  confu¬ 
sion  generated  by  undocumented  code.  Let’s  talk,  instead,  about 
the  costs  and  chaos  imposed  by  undocumented  requirements. 
The  road  to  applications  development  hell  is  paved  with 
“good”  requirements. 

The  reason  is  as  simple  and  obvious  as  it  is  horrifying:  Most 
clients  neither  know  what  they  want  nor  truly  understand  what 
they  really  need.  They’re  ignorant.  They  don’t  quite  “get”  IT, 
and  their  grasp  of  their  own  internal  processes  is  uncertain.  If 
a  little  knowledge  is  a  dangerous  thing,  then  these  clients  are 
lethal.  They’ll  destroy  any  chance  IT  has  of  bringing  a  signifi¬ 
cant  software-based  initiative  in  on  time,  on  budget  and — 


*>  q 


please  excuse  the  irony — according  to  spec. 

Of  course,  any  CIO  with  an  ounce  of  brains  and  two  ounces 
of  experience  already  knows  this.  However,  because  we’re  all 
supposed  to  hold  hands  and  sing  “Kumbaya”  and  be  sensitive 
to  client  needs  and  truly  listen  to  what  they’re  saying,  IT  ends  up 
being  the  unhappy  appeaser.  Shame  on  CIOs  for  permitting  this 
pathology  to  persist.  At  one  Fortune  250  company,  internal 
clients  insisted  they  needed  real-time  analytic  capability  baked 
into  their  new  CRM  system.  This  marketing  group  wanted  the 
ability  to  run  sophisticated  statistical  algorithms  to  gain  imme¬ 
diate  insight  into  the  behavior  of  particular  customers. 

The  problem  was  that  building  in  that  requirement  would 
add  at  least  four  months  of  development  time,  a  month  more 
testing  and  an  additional  layer  of  complexity  that  would  both 
be  both  more  costly  to  maintain  and  risk  degrading  the  over¬ 
all  CRM  performance.  This  was  a  multimillion-dollar  decision. 


CIO  OCTOBER  15,  2003  •  www. cio.com 


ILLUSTRATION  BY  MARTIN  O'NEILL 


Would  You  Bet  Your  Business 

On  This? 


Millions  do.  Yet  when  disaster  happens,  your  system 
of  offsite  storage  and  recovery  may  prove  slow  and 
unreliable.  While  waiting  days  to  recover  data,  business 
losses  just  keep  piling  up. 

Ready  Recovery5”,  from  Berbee®,  is  the  21st  century 
alternative  to  data  recovery.  It  continuously  mirrors 
your  core  business  systems  -  every  minute  of  every 
day.  When  disaster  strikes,  Ready  Recovery  is  ready  to 
bring  your  mission-critical  systems  back  up  in  a  matter 
of  minutes.  With  no  lost  data,  time,  or  business.  Ready 
Recovery  is  a  flexible  and  affordable  solution  that  lets 
you  protect  the  systems  you  can  least  afford  to  lose  like 
eCommerce,  member/customer  data,  file  servers, 
email,  and  other  mission-critical  systems. 

Tape  can  save  your  data,  but  Ready  Recovery  can 
save  your  business.  And  it’s  only  available  from  Berbee. 
For  more  information,  contact: 


BERBEE® 


Berbee  Information  Networks  Corporation 
888.888.8835  •  www.berbee.com/ready50 


IBM,  xSP  Prime  Hosting  and  associated  logos  are  trademarks  of  IBM  Corporation  in  the  United  States,  other  countries, 
or  both.  This  IBM  Business  Partner  has  been  approved  for  the  IBM  xSP  Prime  Hosting  program  in  North  America. 


Powering  e-business 


Michael  Schrage  I  Making  IT  Work 


The  clients  were  prepared  to  pay  for  both  the  development  and 
the  delay,  if  IT  promised  to  allocate  the  resources. 

A  statistically  savvy  IT  project  manager  looked  at  the  require¬ 
ment  and  found  that  a  three-day  programming  effort  would 
reformat  the  CRM  data  so  that  analytics  could  be  run  in  not- 
quite-real-time  on  any  PC  with  the  right  off-the-shelf  statistical 
software  package.  In  other  words,  the  project  manager  reframed 
the  original  requirement  in  a  way  that  gave  the  clients  more 
than  95  percent  of  the  desired  functionality  for  less  than  1  per¬ 
cent  of  the  original  cost. 

The  clients  looked  at  the  revised  requirement  numbers  and 
effectively  said,  “Even  though  we’ve  never  done  real-time  CRM 


analytics,  that’s  what  we’ve  declared  our  requirement  to  be.  Our 
management  signed  off  on  it;  you  signed  off  on  it.  So  do  it.  We 
promise  we’ll  pay  you  more  if  you  don’t  show  this  alternate 
spec  to  the  general  manager.”  Shamefully,  IT  went  along. 

This  story  does  not  have  a  happy  ending. 

What  makes  such  tales  particularly  atrocious  is  that  so  many 
clients  live  with  the  pathetically  self-serving  delusion  that  they 
actually  do  understand  what  they  want  and  that  IT  was  put  on 
God’s  Green  Earth  to  give  it  to  them  right  now!  Consequently, 
their  well-documented  requirements  read  either  like  a  wish  list 
or — worse  yet — a  rigidly  defined  spec  sheet  that  ultimately  con¬ 
tains  more  internal  contradictions  and  paradoxes  than  a  high 
tea  chat  with  Lewis  Carroll’s  Mad  Hatter.  Increasing  conflict, 
confusion  and  cost  become  inevitable. 

The  obvious  thing  to  do  is  to  roll  one’s  eyes,  grit  one’s  teeth 
and  try  not  to  be  too  condescending  to  clients  who  want  the 
world  for  $1.50  a  function  point.  After  all,  they  know  not  what 
they  do.  How  can  they?  Even  we  can’t  be  sure  what  a  pur¬ 
portedly  innovative  app  will  really  run  like  before  it’s  imple¬ 
mented — so  how  could  they  know?  We’re  not  good  at 
predicting  the  future.  No  one  is.  So  shall  we  hazard  a  guess  as 
to  how  much  IT  executive  time  and  ingenuity  is  spent  on  cor¬ 
recting  mismanaged  expectations? 

Indeed,  IT  conversations  would  be  profoundly  different  if  we 
banished  the  word  requirements  from  our  software  vocabularies 
and  substituted  expectations  in  its  place.  Instead  of  “requirements 
analysis,”  we’d  be  doing  “expectations  analysis”;  instead  of 
“prioritizing  requirements,”  we’d  be  “prioritizing  expectations.” 

This  more  honest  IT  approach  would  recognize  that  clients 
are,  in  fact,  acting  rationally  when  they  game  requirements: 


They  are  responding  all-too-logically  to  the  peculiar  and  per¬ 
verse  economics  of  requirements-driven  software  development. 
Requirements  inherently  create  a  world  where  clients  have 
unambiguous  incentives  to  avoid  rigorous  thinking,  shun  risk 
management  and  kick  difficult  design  trade-offs  to  IT.  This 
defines  dysfunction. 

Think  about  it:  How  much  does  it  really  cost  a  client  to 
come  up  with  yet  another  “good”  requirement?  The  answer  is, 
almost  nothing.  So  why  should  anyone  be  surprised  by  the  sur¬ 
feit  of  requirements,  enhancements  and  improvements  that 
inevitably  materialize  as  development  proceeds? 

I’m  not  embarrassed  to  say  that  I’ve  made  a  better  than 
comfortable  living  advising  software 
development  groups  to  stop  gathering 
requirements  after  the  first  20  to  25  and 
then  do  a  quick  and  dirty  prototype  to 
lure  the  client  into  codevelopment. 
Why?  For  two  excellent  market- tested 
reasons:  You  tend  to  get  better  quality 
requirements  when  they’re  generated  by 
ongoing  client  interaction  with  a  constantly  improving  proto¬ 
type.  Prototype-driven  requirements  ultimately  lead  to  better 
apps  than  spec-driven  prototypes. 

The  second  excellent  reason  relies  on  Psychology  101: 
Clients  are  happy  to  cavalierly  reject  your  work.  They  tend  to 
think  twice,  however,  before  throwing  out  their  own  work.  In 
other  words,  when  clients  are  vested  in  software  development 
with  more  than  just  money,  you  get  both  a  better  develop¬ 
ment  process  and  a  better  software  product.  The  economics  of 
software  prototype-driven  requirements  are  inherently  less 
dysfunctional  than  the  economics  of  requirements-driven 
software  development. 

To  be  sure,  CIOs  and  the  IT  organizations  do  occasionally 
get  to  work  with  savvy  clients  who  know  what  they  want, 
know  what  they  need  and  know  how  to  define  requirements  in 
a  way  that  makes  both  economic  and  technical  sense.  However, 
they’re  not  the  problem.  To  the  contrary,  they’re  the  people 
who  make  being  a  CIO  both  fun  and  important. 

Unfortunately,  most  CIOs  today  also  confront  clients  and 
colleagues  who  have  allowed  the  perverse  economics  of  require¬ 
ments  to  create  unrealistic  expectations  and  dysfunctional  busi¬ 
ness  behaviors.  Requirements  should  be  a  means  to  an  end,  not 
the  end  itself.  Responsible  CIOs  had  better  start  requiring  their 
client-IT  teams  to  spend  more  time  creatively  designing  the  right 
software  requirements  than  rigidly  requiring  the 
right  software  designs.  HH 


Michael  Schrage  is  codirector  of  the  MIT  Media  Labs’ 
eMarketing  Initiative.  He  can  be  reached  via  e-mail  at 
schrage@media.mit.edu. 


IT  conversations  would  be  profoundly  different  if  we 
banished  the  word  requirements  from  our  vocabular¬ 
ies  and  substituted  expectations  in  its  place. 


8  2 


CIO  OCTOBER  15,  2003 


www.cio.com 


PHOTO  BY  JOHN  SOARES 


©  2003,  BearingPoint,  Inc.  All  rights  reserved. 


2008  STOCK  VALUE 


$ 


Month 


In  the  future,  jou  have  no  stock  value. 


You  have  no  investors. 

You  have  no  analyst  rating. 

There  is  no  bull  or  bear. 

Because  the  future  hasn't  happenedjet. 

It  is  a  blank  sheet.  A  clean  slate.  A  white  canvas. 
How  will  jou  draw  it? 


An  unbiased  business  advisor  and  systems  integrator  provides  you  with  the  right  advice  and  solutions 

WITH  YOUR  BEST  INTERESTS  IN  MIND.  TOGETHER,  WE  CAN  CREATE  THE  FUTURE.  VISIT  BEARINGPOINT.COM. 


CONSULTING  ♦  SYSTEMS  INTEGRATION  ♦  MANAGED  SERVICES 


BearingPoint 


Business  and  Systems  Aligned.  Business  Empowered. 


ENTERPRISE 
VALUE  RETREAT 


&  AWARDS  CEREMONY 

FEBRUARY  8  -  10,  2004  „ 

TRUMP  INTERNATIONAL  SONESTA  BEACH  RESORT 
SUNNY  ISLES  BEACH,  FLORIDA  v 


This  is  the  event  for  CIOs  who  are  concerned  with 
articulating,  delivering  and  demonstrating  the  value  IT 
brings  to  the  enterprise.  While  some  pundits  say  IT  is  only  a 
commodity,  we  believe  IT  continues  to  be  at  the  forefront  in 
increasing  your  competitive  advantage.  To  give  you  more 
ways  of  looking  at  IT  value,  we  incorporate  research  and  case 
studies  from  Peter  Weill’s  work  at  MIT  Sloan  School  of 


Management.  We  put  you  together  with  CIOs  who  are  the 
winners  of  this  year’s  CIO  Enterprise  Value  Awards. 

And  we  give  you  the  opportunity  to  learn  from  each  other. 


Call  800.355.0246  or  visit  us  at  www.cio.com/conferences 


CIO  Advertising  Supplement 


LOCALLY, 

ACT  GLOBALLY 

Potential  savings  beckon  from  global  full-lifecycle  software 
development — but  only  if  organizations  understand  challenges, 
risks  and  unique  project  parameters. 


THINK 


Offshore  outsourcing  isn’t  new. 

Charged  with  containing  costs,  many  IT 
leaders  today  look  offshore  for  high-quality, 
low-cost  application  development  solutions. 

What’s  new  is  that,  after  years  of  out¬ 
sourcing  mainly  low-risk  maintenance 
work,  CIOs  now  are  considering  offshore 
for  full-lifecycle  application  development — 
software  R&D  using  a  combination  of 
local  and  global  resources.  Early  adopters 
find  clear  benefits  from  these  new  global 
solutions,  including: 

•  Cost  savings 

•  Faster  time-to-delivery 

•  Ability  to  deploy  internal  resources 
more  effectively  and  concentrate  on 
core  competencies. 

But  to  achieve  such  success,  these 
CIOs  have  had  to  overcome  the  unique 
challenges  of  the  marketplace,  says  Joe 
Morone,  senior  vice  president  of  sales 
and  solutions  at  CIBER,  Inc.,  the  inter¬ 
national  systems  integrator.  Overstated 
benefits  and  understated  challenges  have 
made  many  CIOs  reluctant  to  use  global 
delivery  for  full-lifecycle  application 
development,  Morone  says.  “And  per¬ 
haps  they  should  be.” 


Custom  Publishing 


Among  the  challenges:  managing  trans¬ 
national  teams,  and  the  crucial  differences 
between  simply  outsourcing  maintenance 
tasks  on  legacy  applications — a  compara¬ 
tively  straightforward  practice  that  is  now 
getting  to  be  almost  mainstream — and  the 
much  more  demanding  process  of  using 
global  resources  for  full-lifecycle  software 
development.  Many  global  vendors  can 
tackle  traditional  legacy  product  support 
tasks.  Few  can  handle  the  complexities  and 
challenges  of  full-lifecycle  application 
development. 

The  key  difference  between  legacy  and 
full-lifecycle  application  development  is 
complexity,  says  Morone.  A  legacy  appli¬ 
cation’s  maintenance  tasks  are  well  under¬ 
stood  and  have  clear  boundaries.  Assigning 
responsibilities  is  straightforward,  and  def¬ 
initions  of  success  are  clear-cut.  By  con¬ 
trast,  full-lifecycle  application  development 
is  a  more  open-ended  process  where 


requirements  and  task  boundaries  must  be 
developed  carefully  and  continually  refined 
to  ensure  success. 

Daunting  challenges,  yes,  but  hardly 
insurmountable.  The  formula  for  achiev¬ 
ing  success  in  global,  full-lifecycle  soft¬ 
ware  development  includes:  expressing 
the  business  requirements;  leveraging  a 
model  that  includes  both  onsite  and  off¬ 
shore  delivery  options;  understanding  the 
full  range  of  offshore  options;  and  then 
selecting  the  right  global  partner. 

EXPRESSING  THE  REQUIREMENTS 

Frank  J.  Casale,  Founder  and  CEO  of  The 
Outsourcing  Institute,  says  that  companies 
often  struggle  with  the  need  to  create  a 
business  requirements  document — the  cor¬ 
nerstone  of  an  effective  application  devel¬ 
opment  effort.  Indeed,  Casale  notes  that  it 
is  this  step,  rather  than  technological 
issues,  that  presents  the  greatest  challenge 


Executive  Seminar 
Series  Explores 
Global  Solutions 
Options 

Industry  Experts  Answer  Questions,  Offer 
Trends  and  Tips,  in  Webinar  Series 

3  Want  to  know  more  about 
some  of  the  global  sourcing 
challenges,  options  and  suc¬ 
cess  stories? 

Join  CIBER  and  its 
clients  for  a  series  of  edu¬ 
cational  webinars  featuring 
IT  thought  leaders  from  Gartner  Inc.,  CIO 
magazine  and  The  Outsourcing  Institute. 
These  three  thought-provoking  discus- 


Outsourcing  Institute 

Coteway  to  tlur 
Outsourcing  Marketplace 


Gartner 


Rita  Terdiman 

Vice  President  & 
Research  Director 
Gartner  Research 
OCTOBER  29,  2003 


Tom  Field 

Former  Executive 
Editor 

CIO  Magazine 
NOVEMBER  17,  2003 


uuiuotn  £3,  luuj  nuvLmuLn  if,  tuuo 

10  a.m.  PST/1  p.m.  EST  10  a.m.  PST/1  p.m.  EST 


Frank  J.  Casale 

Founder  and  CEO 
The  Outsourcing 
Institute 
DECEMBER  2003 


sions  will  focus  on  if,  how  and  when  to 
apply  global  IT  resources  in  application 
development,  integration  and  support. 
These  events  will  include  executive  insight, 
industry  expertise  and  valuable  customer 
insights  on  the  latest  global  sourcing  solu¬ 
tions.  For  more  information,  visit 
www.ciber.com/tunein/CIO. 


CIO  Advertising  Supplement 

Gartner’s  Rita  Terdiman  does  not  find  a  large  percent  of  offshore  resources  being  used 
prior  to  the  “labor-intensive”  build  and  deploy  phase  of  application  development. 

In  other  words,  a  lot  of  the  hard  work  has  to  happen  locally  first. 


CIBER,  Inc. — the  Global 
Solutions  Experts 

CIBER,  Inc.  (NYSE:  CBR)  is  a  leading  international 
system  integration  consultancy  with  superior 
value-priced  services  for  both  private  and  public 
sector  clients.  CIBER’s  services  are  offered  on  a 
project  or  strategic  staffing  basis,  in  both  custom 
and  enterprise  resource  planning  (ERP)  package 
environments,  and  across  all  technology  plat¬ 
forms,  operating  systems  and  infrastructures. 

What  makes  CIBER  different?  98  percent  cus¬ 
tomer  satisfaction  and  CMM  Level  5  capability, 
combined  with  local  teams  working  from  offices 
across  the  United  States  that  can  leverage  the 
economic  advantages  of  global  sourcing. 

Founded  in  1974,  the  company’s  consultants 
now  serve  client  businesses  from  60  CIBER,  10 
DigiTerra  and  10  CIBER  Europe  offices.  With 
offices  in  10  countries,  annualized  revenue  of 
approximately  $700  million  and  approximately 
6,000  employees,  CIBER’s  IT  specialists  continu¬ 
ously  build  and  upgrade  our  clients’  systems  to 
“competitive  advantage  status.”  CIBER  is 
included  in  the  Russell  2000  Index  and  the  S&P 
Small  Cap  600  Index. 


in  any  development  effort.  But 
that's  even  more  true  when 
engaging  global  resources  for  an 
outsourcing  effort.  “It  is  impera¬ 
tive  that  organizations  under¬ 
stand  the  nature  of  effective 
business  requirements  in  imple¬ 
menting  IT  outsourcing — espe¬ 
cially  in  an  offshore  model,” 
says  Casale. 

Failing  to  fully  articulate 
business  requirements  is  one  of 
the  most  common  mistakes 
organizations  make  in  any 
engagement,  Casale  says. 

Indeed,  developing  the  neces¬ 
sary  contents  of  a  requirements 
document  can  sometimes  be 
very  challenging.  “Experienced 
consultants  can  help  an  organi¬ 
zation  develop  a  thorough 
business  requirements  docu¬ 
ment  that  becomes  the  driver 
to  build,  integrate  and  support 
mission  critical  applications,” 
says  Casale. 

“Invest  time  and  money  in 
developing  good  business 
requirements,  communicating 
them  cross-functionally,  and  then  you’re 
in  the  game,”  he  adds. 

UNDERSTANDING  THE  OFFSHORE 
OPTIONS 

With  requirements  carefully  articulated, 
offshore  sourcing  becomes  more  feasible. 
But  one  must  understand  the  marketplace 
and  its  myriad  options. 

Application  outsourcing  is  not  new. 
Indeed,  enterprises  and  external  service 
providers  have  long  been  involved  in 
such  relationships.  However,  nowadays, 
offshore  outsourcing  is  increasingly 
viewed  as  a  strategic  choice  that  can  sig¬ 
nificantly  reduce  costs  and  support  a 
focus  on  core  competencies.  “The 
strongest  driver  is  certainly  the  possibil¬ 
ity  of  cutting  costs,  especially  with  the 
expanded  capability  of  overseas 
resources,”  says  Rita  Terdiman, 
research  director  and  outsourcing  expert 
at  Gartner  Inc. 


“Invest  time  and  money 
in  developing  good 
business  requirements, 
communicating  them 
cross-functionally,  and 
then  you’re  in  the  game.” 

— Frank  J.  Casale, 

The  Outsourcing  Institute 

Terdiman  says  the  application  out¬ 
sourcing  market  now  includes  a  broad 
range  of  services.  Understanding  key 
trends  and  drivers  shaping  this  market  will 
help  enterprises  to  better  plan,  implement 
and  refine  their  sourcing  strategies. 

Significantly,  Terdiman  does  not  find  a 
large  percent  of  offshore  resources  being 
used  prior  to  the  “labor-intensive”  build 
and  deploy  phase  of  application  develop¬ 


ment.  In  other  words,  a  lot  of 
the  hard  work  has  to  happen 
locally  first.  Understanding 
when  and  how  to  apply  local 
and  offshore  resources,  and 
having  the  right  capabilities  on 
both  ends,  is  key. 

“In  the  past  year  or  two,  the 
application  outsourcing  market 
has  grown  and  changed  consider¬ 
ably,”  says  Terdiman,  “but  new 
buying  behaviors  and  changing 
vendor  value  propositions  will 
cause  even  bigger  changes 
through  year-end  2004.” 

CHOOSING  THE  RIGHT 
PARTNER 

The  ultimate  key  to  success  is 
finding  a  partner  with  ample 
and  knowledgeable  on-site, 
local  resources,  and  the  ability 
to  take  responsibility  for  pro¬ 
gram,  project  and  requirements 
management.  If  that  local  team 
properly  parses  the  project,  it 
can  then  leverage  offshore 
resources  for  more  routinized 
tasks  such  as  coding  and  testing. 
The  approach  must  be  seamless  and  based 
around  experienced  individuals  and  teams 
able  to  1)  understand  all  aspects  of  the 
project,  and  2)  communicate  and  cooper¬ 
ate  successfully. 

Beyond  where  the  work  is  performed 
and  what  it  costs,  global  outsourcing 
clients  and  partners  must  work  together  to 
weigh  business  risk,  knowledge  transfer, 
operational  complexity,  methodologies 
and  skills  availability.  “That's  the  only 
way  to  elicit  accurate  and  complete  busi¬ 
ness  requirements,”  Morone  says. 

“Organizations  will  be  successful  lever¬ 
aging  global  resources  for  application 
development — it's  an  irreversible  trend,” 
Morone  says.  “But  it  won't  work  unless 
teams  are  properly  organized  and 
assigned.”  • 

rcibern 

- ALWAYS  ABLE  - 


S2 


discussion  and 
mation  exchange 
peers  is  invalu- 

1  ” 

Robert  Odenheimer, 
SVP,  IT  Operations, 
Magellan  Behavioral  Health 


The  content  presented 
by  Peter  Weill  was  an 
excellent  framework  to 
discuss  current  chal¬ 
lenges  with  a  very 
interesting 
peer  group.” 

Chris  Acton,  Global  IS, 
RioTinto  Borax 


Lessons  learned  are 
not  the  usual  aca¬ 
demic  fare,  but  the 
subtleties  of  the  cul¬ 
tural  and  technological 
minefields.” 


Call 

800.355.0246 
or  visit  us  at 
www.cio.com/ 
conferences 


Evelyn  Lockett  Woods, 
EVP/CIO,  Joint  Commission  on 
Accreditation  of  Healthcare 
Organizations 


Retreat  Moderator 

J) 

Peter  Weill 

Director,  Center  for 

L 

Information  Systems 

A  Research,  MIT  Sloan 

School  of  Management 

he  Case 
ludies 

er  Weill  once  again  presents 
'findings  and  case  studies 
n  work  with  hundreds  of 
bal  1000  companies,  focus- 
on  three  key  areas:  IT  infra- 
icture  for  strategic  agility, 
ctive  business  models,  and 
overnance. 

F  Infrastructure  for 
ategic  Agility 

ategic  agility— the  ability  to 
ilement  new  business  initia- 
s  quickly  and  cost  effectively 
ill  be  an  increasingly  impor- 
t  capability  for  enterprises  in 

114.  IT  infrastructure  is  one  of 
critical  platforms  required 
strategic  agility.  Investing  in 
right  infrastructure  at  the 
nttime  enables  rapid  imple- 
ntation  of  future  electroni- 
y  based  business  initiatives 
I  cost  reduction  of  current 
iness  processes— i.e.,  more 
Liness  value.  This  session 
sents  a  framework  for  senior 
•cu fives  to  view  IT  infrastruc- 
e  in  business  terms  and  to 
p  in  making  investment  deci- 
hs.  Weill  illustrates  how  firms 
oessfully  implement  and 
Bloit  their  IT  infrastructures 
h  several  case  studies. 

Jo  Some  Business 
idels  Perform  Better 
jn  Others? 

i  n  increasingly  connected 
!j  mess  world  the  business 


model— what  a  firm 
does  and  how  they 
make  money— is  a 
critical  strategic 
decision.  Under¬ 
standing  what  busi¬ 
ness  models  are 
used,  how  they  are 
combined,  and  which  are  most 
successful  is  important  for  every 
senior  manager.  In  addition, 
firms  implementing  each  model 
use  IT  differently— resulting  in 
different  IT  portfolios.  This  pres¬ 
entation  provides  a  new  and 
powerful  way  to  analyze  a  firm's 
business  model  and  then  think 
about  the  IT  needs. 

>  IT  Governance  Workshop 

In  response  to  strong  interest  in 
last  year’s  session  on  IT  gover¬ 
nance,  Weill  leads  a  workshop 
on  how  top  performers  govern. 
He  presents  case  studies  and 
insights  from  MIT  CISR’s  study 
of  effective  IT  governance  in  256 
enterprises  in  23  countries.  A 
framework  is  presented  in  this 
workshop  to  analyze  and  com¬ 
municate  governance,  illus¬ 
trated  with  cases  studies  of  top 
performers. 

>  Monday’s  Case  Study 
Workgroups 

Monday  at  lunch  we  divide  into 
small  groups  to  investigate  the 
link  between  business  strategy 
and  IT  infrastructure  in  a  new 
case  study.  The  case  is  based  on 
a  global  multi-business  unit  firm 
in  the  healthcare  industry  mov¬ 
ing  from  a  fully  decentralized 
approach  to  information  tech¬ 
nology  to  providing  some  firm¬ 
wide  IT  infrastructure.  The 
challenge  for  your  group  is  to 
advise  the  newly  appointed  CIO. 
Groups  will  report  back  with 
their  recommendations. 


The  Enterprise 
Value  Award 
Winners 

They’re  scrutinized  by  CIO  edi¬ 
tors,  Review  Board  members, 
and  our  judging  panel  of  top- 
notch  CIOs.  Meet  the  winners  of 
the  prestigious  CIO  Enterprise 
Value  Award  and  learn  how  they 
delivered  true  value. 

>  The  Value  Proposition 

Our  panel  of  CIO  Enterprise 
Value  Award  winners  talks  about 
the  ongoing  difficulty  inherent  in 
demonstrating  and  delivering  IT 
value.  How  do  you  convince  your 
CEOs,  CFOs  and  COOs— who 
may  think  IT  is  just  a  commodity, 
a  utility— that  its  intelligent 
application  and  deployment  can 
and  does  indeed  bring  strategic 
value  to  the  business. 

)  Monday  Night’s  Gala 
Awards  Ceremony  &  Dinner 

We’ll  announce  the  winner  ofthe 
Grand  CIO  Enterprise  Value 
Award— and  honor  all  the  win¬ 
ners  in  the  industry  categories 
at  a  black-tie  reception,  awards 
ceremony  and  dinner.  It’s  a 
great  time  to  celebrate  with  your 
CIO  peers. 

>  Conversations  with 
This  Year’s  Winners 

We  offer  breakout  sessions  with 
the  CIOs  of  this  year’s  winning 
organizations.  It’s  your  chance 
to  talk  at  a  more  intimate  level, 
discuss  their  particular  case  in 
more  detail  and  take  away  les¬ 
sons  you  can  apply  to  your  own 
organization  back  home. 


The  Peer 
Networking 

CIOs  tell  us  it’s  as  important  to 
have  opportunities  to  meet  infor¬ 
mally  with  their  peers  as  it  is  to 
participate  in  the  Retreat  ses¬ 
sions.  We  give  you  more  oppor¬ 
tunities  to  meet  and  learn  from 
more  of  your  peers  over  three 
days,  with  the  golf  tournament 
Sunday  morning,  informative 
chats  at  breakfast  and  lunch 
roundtables,  the  intensely  inter¬ 
active  case  study  workgroup  ses¬ 
sions,  and  relaxed  conversations 
during  the  daily  receptions.  And 
we’re  happy  to  hook  you  up  with 
other  attendees  or  corporate 
sponsors  you’d  like  to  meet. 


Sunday  Night  Special  Event 


Jimmy  Tingle’s 
Uncommon  Sense 


It's  a  scary,  unpredictable— and 
absurd— world  we  live  in.  Satirist, 

comedian  and  com¬ 


mentator  Jimmy 
Tingle  takes  us  on  a 
highly  personalized 
tour  of  the  absurdi¬ 
ties  of  modern  life. 
You've  got  to  laugh 
to  survive. 


This  year's  Enterprise  Value  Retreat 
Awards  Ceremony  is  proudly 
underwritten  by 

<bmcsoftware 


Presented  by 


The  Resource 
for  Information 
Executives 


Cover  Story  |  The  CIO  Role 


Spp? 


Untlfr.cio.com 


idgets  have  been  cut,  their  work’s  been  outsourced,  their 
ff  s  been  downsized,  and  they’ve  been  pushed  off  the  executive 
team.  Their  status  within  the  enterprise  has  suffered.  That’s  dumb, 
CIOs,  not  fighting  back  would  be  dumber. 

gjfy'T’  I 

: PHAN IE  OVERBY 


0mms. 


idcf  ROI 

>  Why  more  CIOs  are 
e porting  to  CFOs 

Why  CIOs'  loss  of  status 


►  How  CIOs  can  regain  their 
seat  at  the  executive  table 


rm.. 


shrinking  CIO 


hen  Jim  Brownell  was  CIO  of  Williams-Sonoma,  he  sat  on  the  executive 
committee,  reported  directly  to  the  CEO,  and  oversaw  a  strategic,  multi- 
million-dollar  replacement  of  the  retailer’s  merchandising  and  warehous¬ 
ing  system.  But  when  a  new  CEO  took  over,  he  decided  he  wanted  his  own 
CIO.  So  last  October,  Brownell,  a  25-year  IT  veteran,  began  looking  for  a 
comparable  position  elsewhere.  He  couldn’t  find  one. 

“When  I  looked  at  opportunities  in  ClO-land,  they  were  unappealing.  The 
cycle  of  CIOs  reporting  to  CFOs  is  coming  back,  and  it’s  not  pleasing,”  Brownell 
says.  “I  heard  the  same  story  in  every  interview:  ‘We’re  looking  for  a  new  CIO 
because  IT  projects  never  deliver  on  time  and  they  cost  more  than  we  expect  and 
they  don’t  deliver  what  we  want.  All  our  systems  need  to  be  replaced.  Oh,  and  we’re 
reducing  the  amount  of  money  we’re  allocating  for  IT,”’ 

In  May,  Brownell  accepted  a  job  as  senior  vice  president  and  general  manager  of 
Escalate,  a  California  software  vendor,  rather  than  settle  for  a  lesser  CIO  job,  “Quite 
honestly,”  says  Brownell,  “I  don’t  know  why  anyone  would  want  the  CIO  job  today.” 


li 

I 


ft! 


Cover  Story 


The  CIO  Role 


THE  DUMBING  DOWN  OF 
THE  CIO  ROLE 

Brownell  has  a  point.  Consider  the  following: 

►  The  percentage  of  CIOs  reporting  to 
CFOs  doubled  this  year  from  last  year, 
according  to  CIO's  “The  State  of  the  CIO 
2003”  survey  (see  the  complete  survey  results 
at  ivimv.cio.com/printlinks).  Reporting  to  the 
CFO  rather  than  the  CEO  or  COO  is  almost 
always  a  sign  of  diminished  clout. 

►  Executive  recruiters  report  that  companies 
are  looking  for  low-cost  techies  and,  surpris¬ 
ingly,  junior  employees  to  fill  the  role  of  CIO. 
In  2001,  compensation  for  CIOs  at  large  com¬ 
panies  decreased  for  the  first  time  since  1985 
and  has  slid  16  percent — from  $434,000  in 
2001  to  $363,000  in  2003,  according  to  IT 
management  consultancy  Janco  Associates. 

►  IT  spending  continues  to  be  flat  or  in 
decline.  Technology  budgets  were  cut 
14  percent  for  the  second  quarter  of  2003, 
the  fourth  consecutive  flat  or  declining  quar¬ 
ter,  according  to  the  Wendover-Global 
Insight  IT  Spending  Index,  with  no  uptick 
expected  before  year’s  end.  Similarly,  only 
38  percent  of  respondents  to  CIO's  own 
Tech  Poll  said  they  do  not  expect  an  uptick 
before  the  end  of  2003. 

►  The  increased  interest  in  outsourcing  and 
shrink-wrapped  technology  strategies  has 
emboldened  some  CEOs  and  corporate 
boards  to  rein  in  what  they  see  as  an  over¬ 
inflated  executive  position. 

The  net  result  in  many  enterprises  is  an 
unofficial  demotion  of  the  CIO — a  dumb¬ 
ing  down  of  the  job. 


“Quite  honestly,  I  don’t  know 
why  anyone  would  want  the 
CIO  job  today.” 

-FORMER  WILLIAMS-SONOMA  CIO  JIM  BROWNELL, 
CURRENTLY  COO  OF  ESCALATE 


THE  INCREDIBLE  SHRINKING  PAYCHECK 


CIO  Compensation  by  Industry 

2002 

2003 

Insurance/real  estate/legal 

$255,975 

$223,897 

Computer-related 

$228,338 

$209,574 

Manufacturing/process  industries 
(noncomputer-related) 

$213,280 

$176,769 

Education 

$145,384 

$126,172 

SOURCE:  Janco  Associates 


“CIO  is  no  longer  the  same  level  of  posi¬ 
tion,”  says  Phil  Schneidermeyer,  CIO  prac¬ 
tice  leader  for  executive  recruiting  company 
Highland  Partners.  “Companies  are  step¬ 
ping  back  and  saying  the  job  isn’t  that  big 
anyway.  We’re  making  less  investment  in  IT. 
We  have  a  smaller  headcount.  We’re  not 
going  global  and  doing  any  mergers.  We’re 
done  with  ERP.  We’re  sending  it  all  offshore. 
Therefore  we  don’t  need  the  caliber  of  CIO 
we  may  have  had  in  the  past.” 

Whatever  the  reasons  for  the  disrespect 


68  CIO  OCTOBER  15,  2003  •  www.cio.com 


PHOTO  BY  ANDY  FREEBERG 


Questions  are  everywhere.  Insight  is  not.  Making  important  decisions  is  your  job.  Delivering  the  insight  to 
help  you  make  smarter  decisions  is  ours.  With  business  applications  and  services  like  financial  and  customer 
relationship  management,  we  have  the  experience  and  resources  to  help  you  succeed  in  a  world  of  surprises. 
To  learn  more,  visit  microsoft.com/BusinessSolutions/lnsight  Software  for  the  Agile  Business. 


Microsoft 


Human  Resource  Management  Retail  Management  Analytics  Field  Service  Management  Supply  Chain  Management 

Manufacturing  Financial  Management  Customer  Relationship  Management  Project  Management  E-Commerce 


Cover  Story 


The  CIO  Role 


the  CIO  has  become  heir  to  (and  there  are 
some  good  ones,  including  multimillion- 
dollar  implementations  that  didn’t  deliver 
and  Y2K  remediations  that  failed  to 
impress),  there’s  no  question  that  in  some 
quarters  the  critical  role  of  the  corporate 
CIO  as  commander  in  chief  of  technology- 
driven  business  opportunity  is  in  jeopardy. 

As  it  now  stands,  Brownell  (who  was 
recently  promoted  to  COO),  says,  “Com¬ 
panies  no  longer  view  IT  as  a  profession.  It’s 
a  no-win  situation.”  And  if  things  don’t 
change,  the  list  of  potential  losers  is  long: 
CIOs,  their  users  and  staffs,  their  compa¬ 
nies,  and  possibly  the  future  of  American  IT. 

FROM  BACKROOM  TO 
BOARDROOM. ..AND 
BACK? 

n  the  early  1970s,  IS  gave  way  to  IT, 
and  data  processing  managers  were 
plucked  from  the  technology  closet.  The 
corporate  CIO  was  born. 

“When  information  technology  was  a 
new  innovation,  it  was  an  exclusive  little 
game,”  says  Sheleen  Quish,  global  CIO  and 
vice  president  of  corporate  marketing  of 
packaging  manufacturer  U.S.  Can.  “CIOs 
became  keepers  of  the  treasure  chest.” 

But  as  that  IT  treasure  became  something 
every  enterprise  felt  it  had  to  have,  many 
CIOs,  coming  up  through  the  technology 
ranks,  lacked  the  business  skills  to  run 
departments  that,  in  many  cases,  rivaled  in 
size  and  budget  of  some  of  the  companies’ 
largest  business  units. 

ROI?  What  was  that?  Spreadsheets?  Isn’t 
that  something  Excel  did? 

“It’s  not  that  CIOs  were  irresponsible;  it’s 
just  that  they  weren’t  fiscally  aware,”  says 
Bill  Glassen,  CIO  of  Cashman  Equipment, 
which  sells  and  leases  Caterpillar  construc¬ 
tion  equipment.  “If  the  president  of  the 
company  said  one  day,  ‘Hey,  I  want  to  do 
e-commerce,’”  Glassen  says,  “the  CIO 
bought  tons  of  servers,  hired  Web  program¬ 
mers,  basically  spent  a  lot  of  money,”  fre¬ 
quently  without  building  a  business  case. 

Of  course,  when  the  dotcom  bubble  burst 


THE 

DIMINISHED 

CIO 

The  numbers  tell  a 
sad  story 


22%  of  CIOs  in  2003— as  opposed 
to  11%  in  2002— are  now  reporting 
to  CFOs 

IT  budgets  declined  or  were  fiat 
for  four  consecutive  quarters 
(through  Q2  2003) 

84%  of  CIOs  say  their  IT  function  is 
being  budgeted  as  a  cost  center 

7  out  of  10  companies  are  currently 
outsourcing  some  type  of  IT 
operation,  which  is  predicted  to 
jump  to  100%  in  2006 

Average  large  company  CIO 
compensation  dropped  16%  from 
$434,000  in  2001  to  $363,000 
in  2003 

SOURCES:  2002/2003  "The  State  of  the  CIO"  surveys. 
PricewaterhonseCoopers,  Wendover-Global  Insight  IT 
Spending  Index,  Meta  Group,  Janco  Associates 

and  the  bottom  fell  out  of  the  market,  CEOs 
didn’t  need  to  look  far  for  a  scapegoat.  “As 
a  leadership  position,  the  CIO  role  had  little 
or  no  credibility  left,  and  we  deserved  every 
bit  of  it,”  says  Malcolm  Fields,  CIO  of  office 
furniture  and  fireplace  manufacturer  Hon 
Industries. 

And  so  CIOs,  who  had  achieved  a  place  in 
the  executive  ranks  and  a  straight-line  report¬ 
ing  relationship  to  die  top  of  the  organizational 
chart,  are  now  seeing  that  access  threatened. 

When  hired  as  CIO  by  Cashman  in  1 998, 
Glassen  had  no  contact  with  the  CEO  or  the 
executive  committee.  When  a  second  CEO, 
an  IT  enthusiast,  came  aboard,  Glassen  was 
invited  to  participate  in  the  executive  com¬ 


mittee.  In  late  2000,  a  more  cost-conscious 
CEO  took  over,  looked  at  what  IT  had  spent 
and  what  it  had  produced,  and  decided  not 
to  include  the  IT  head  on  the  committee.  “I 
was  dropped  as  a  participant,  and  rightly 
so,”  he  says.  “I  needed  to  prove  that  IT  had 
value.  And  until  I  could  justify  that  there  was 
an  ROI  to  what  we  were  doing,  IT  was  rel¬ 
egated  to  a  support  function  again.” 

Since  then,  Glassen,  who  reports  to  the 
CFO,  has  been  trying  to  earn  his  way  back 
into  the  monthly  meetings,  upping  his  face 
time  with  the  CEO  and  communicating  the 
financial  impact  of  all  IT  initiatives.  It’s 
working,  to  an  extent.  “I’m  participating  in 
a  somewhat  active  format,”  Glassen  reports. 
“I’m  not  involved  in  the  decision  making 
anymore,  but  I  try  to  be  involved  in  the 
information  dispensing  aspect  of  it.  The 
CFO  usually  tells  me  the  things  he  knows 
about  so  I’m  not  totally  out  of  the  loop.” 

WHEN  MONEY  TALKS,  I.T. 
HAS  NOTHING  TO  SAY 

s  executives  and  corporate  boards 
remain  focused  on  cost  cutting, 
they’re  tightening  the  reins  on  IT. 
According  to  the  2003  “State  of 
the  CIO”  survey,  84  percent  of  CIOs  said 
their  IT  function  is  currently  being  budgeted 
as  a  cost  center  that  generates  expenses 
rather  than  an  investment  center  that  gener¬ 
ates  new  business  capabilities. 

And  as  corporations  continue  to  cut  tech¬ 
nology  spending,  more  and  more  companies 
are  going  for  an  off-the-shelf  IT  strategy, 
influenced  in  part  by  vendors’  claims  that 
they  can  clean  up  the  “mess”  CIOs  have  cre¬ 
ated.  “Many  organizations  have  come  to 
believe  that  they  can  live  with  a  certain  level 
of  technology  that’s  plug-and-play,  not  com¬ 
plex,  and  gets  the  job  done,”  says  Highland 
Partners’  Schneidermeyer. 

Even  CIOs  are  drinking  the  Kool-Aid.  “It 
only  makes  business  sense.  If  you  can  get  it 
out  of  the  box,  why  build  it?  Today,  every¬ 
body’s  there  with  the  ‘buy  before  build’ 
mantra,”  says  David  Robinson,  CIO  of  insur¬ 
ance  broker  Lockton  Cos.,  who  recently 


70  CIO  OCTOBER  15,  2003  •  www.cio.com 


Send  and  receive  attachments  nearly  twice  as  fast. 


average 
20-40  Kbps 


average 
50-70  Kbps 


Your  business  can  get  more  done,  faster, 
in  more  places  nationwide  with  the  Sprint 
advanced  wireless  network. 


Compared  with  the  AT&T  Wireless  Next  Generation  network. 
Sprint  gives  you: 

•  Laptop  connections  nearly  twice  as  fast 

•  30%  larger  coverage  area 

•  Over  30  million  more  people  covered 


PCS  Connection  Card.™ 
Insert  it  in  a  laptop. 
Get  a  wireless 


All  of  this  and,  of  course,  clear  calls  on  the 
most  complete,  all-digital  wireless  network  in 
the  nation  to  make  your  business  more  effective. 


connection. 


Get  the  facts  at  www.sprintpcs.com  or  call  877-459-8144 
for  a  PCS  Business  Representative. 


One  Sprint.  Many  Solutions^ 

Voice/Data  PCS  Wireless  Internet  Services  E-Business  Solutions  Managed  Services 


Speed  claims  based  on  published  averages  from  each  carrier  and  other  information.  Realized  speeds  will  vary  based  on  devices,  tasks  and  other  factors.  Coverage  claims  based  on 
the  enhanced  Sprint  Nationwide  PCS  Network  (reaching  240  million  people)  and  the  AT&T  Wireless  National  Next  Generation  (GPRS)  network  and  coverage  included  with  available 
service  plans  excluding  roaming  areas.  Copyright  ©2003  Sprint  Spectrum  L.P.  All  rights  reserved.  Sprint  and  the  diamond  logo  are  trademarks  of  Sprint  Communications  Company  L.P. 


Cover  Story 


The  CIO  Role 


replaced  an  application  built  in-house  with  a 
Web-based  system  provided  by  an  ASP. 

Add  to  that  the  pressure  to  save  money 
by  outsourcing  more  and  more  IT,  and 
CEOs  wonder  why  they  should  pay  some¬ 
one  a  hefty  six-figure  salary  and  bonus  just 
to  piece  together  these  seemingly  simple  IT 
parts. 

“Put  yourself  in  the  shoes  of  a  CEO,” 
suggests  Hon  CIO  Fields.  “They’re  asking, 
Do  I  really  need  a  CIO,  and  if  I  do,  why  not 
report  it  lower  in  the  organization  and  let 
the  CFO  handle  it  as  a  cost  matter?” 

WHAT  CIOS  CAN  DO 

or  the  most  part,  say  analysts,  CIOs 
haven’t  helped  matters  in  the  way 
they’re  responding  to  the  current  cri¬ 
sis  in  their  corporate  status.  “Their 


scope  of  operating  has  been  cut  back,  and 
most  of  them  are  holding  on  for  dear  life,” 
says  Mark  Lutchen,  lead  partner  for  Price- 
waterhouseCoopers’  IT  business  risk  man¬ 
agement  practice.  “They’re  told  to  cut  costs, 
and  they  take  out  the  machete.  They’re  in 
survival  mode,  doing  what  they’re  told, 
reporting  to  whomever  they’re  told  to.” 

Glassen  admits  it.  “When  everything 
started  becoming  very  expense-oriented,  we 
withdrew,”  he  says.  “If  we  had  been  more 
involved  and  proactive  sooner,  maybe  users 
and  executives  would  be  involving  us  more.” 

What  does  it  mean  to  be  proactive? 

►  Run  IT  like  any  other  business  unit.  For 
U.S.  Can’s  Quish,  that  has  meant  taking  a 
critical  look  at  the  IT  department  she  took 
over  in  late  2000  after  her  predecessor,  who 
reported  to  the  CFO,  left  after  just  a  week 


on  the  job.  What  she  found  was  “ugly,  ugly 
stuff.”  Half  her  employees  were  unqualified, 
and  projects  were  initiated  via  ad  hoc 
requests.  The  operations  unit  had  purchased 
three  new  systems  on  its  own,  and  vendors 
had  installed  them.  The  IT  infrastructure 
was  falling  apart.  No  wonder  the  packag¬ 
ing  manufacturer  had  lost  faith  in  IT  and  its 
leadership.  Says  Quish,  “I  almost  walked 
out  after  a  week.” 

Quish  knew  she  could  improve  things. 
What  was  important  was  to  do  so  in  a  very 
public  manner.  “I  ran  IT  improvement  as  a 
public  reengineering  effort,”  she  says.  “[The 
business]  saw  me  fire  people.  They  saw  me 
put  projects  into  very  disciplined  request 
processes.  Focusing  a  light  on  ourselves, 
while  scary,  was  healthier,  and  it  gave  us 
some  baseline  credibility.” 


You  need  access 
to  the  executive 
team.  The  best 
way  to  do  that 
istobeakey 
component  of 
their  projects, 
provide  advanced 
warnings  of 
problems, 
recommend 
solutions  and 
speak  in  business 
language— not 
technology.” 

-U.S.  CAN  CIO 
SHELEEN  QUISH 


72  CIO  OCTOBER  15,  2003  •  www.cio.com 


PHOTO  BY  CHRIS  LAKE 


“Secure  Web  access  to  our 
key  applications  without  a 
single  rewrite  was,  by  itself, 
a  huge  benefit  from  using 
Citrix.  In  addition,  Citrix 
cut  annual  telecom  costs  at 
our  370  dealerships  by  40%.” 


CiTRIX 


©2003  Citrix  Systems,  Inc.  AJ  rights  reserved.  Otnx  6  a  registered  trademark  of  Gtnx  Systems.  Inc.  in  tK*  U.S.  and  other  countri 
other  trademarks  and  registered  trademarks  are  the  property  of  their  respective  cv-uers. 


Joyce  Vonada,  CIO 

AutoNation,  Inc. 


INFRASTRUCTURE  FOR  THE  ON-DEMAND  ENTERPRISE 

AutoNation  has  rapidly  become  the  largest  retailer 
of  new  and  used  vehicles  in  the  U.S.,  with  370 
dealerships  across  17  states.  With  the  need  to  provide 
secure  access  over  the  Internet  to  key  business 
applications  running  on  widely  diverse  IT  systems, 
AutoNation  turned  to  Citrix.  Without  a  single 
rewrite,  Citrix  made  it  possible  for  12,000  users  to 
access  hundreds  of  applications  over  the  Web. 
AutoNation,  along  with  99%  of  the  Fortune  500, 
uses  Citrix®  software  to  deploy  applications  centrally 
for  secure,  easy,  and  instant  access  to  business-critical 
information — anywhere,  anytime,  from  any  device. 
We  call  it  the  on-demand  enterprise.  And  it’s  helping 
more  than  120,000  of  our  customers  save  money 
and  reduce  IT  complexity.  To  learn  what  Citrix  can 
do  for  your  business,  call  888-820-7918  or  visit 
www.citrix.com. 


Cover  Story 


The  CIO  Role 


A  year  in,  Quish  was  reporting  not  to  the 
CFO  but  to  the  CEO. 

►  Put  fiscal  controls  in  place.  “The  IT 
spend  will  come  back  eventually,  but  it 
would  be  naive  to  think  CIOs  will  be  given 
free  reign  to  spend  what  they  were  spend¬ 
ing  in  the  past,”  says  PWC’s  Lutchen. 


Technology  is  becoming  plug-and-play, 
commoditized.  Why  do  we  need  a  high- 
priced  executive  to  turn  the  key? 


We’re  outsourcing  everything  anyway. 
We  don’t  need  a  CIO. 


“CEOs  are  going  to  want  more  oversight, 
a  business  approach  to  making  IT  deci¬ 
sions  and  investment  in  IT  like  a  financial 
portfolio — everything  they  expect  of  any 
other  executive.” 

►  Surround  yourself  with  people  who  have 
business  backgrounds.  Lockton’s  Rob¬ 
inson,  who  started  as  a  Fortran  program¬ 
mer  and  came  up  through  the  IT  ranks, 
counts  several  business  unit  COOs  as  his 
mentors.  PWC’s  Lutchen  suggests  setting 


up  a  leadership  team  within  IT,  not  unlike 
the  way  a  CEO  does.  “Hire  someone  who 
knows  HR.  Hire  someone  to  handle  com¬ 
munication,”  Lutchen  says. 

►  Get  out  of  your  office.  “For  finance  folks 
or  other  executives,  leaving  their  comfort 
zone  is  not  uncommon,”  says  Peter  Longo, 


Precisely  because  it’s  becoming  com¬ 
moditized,  business  value  and  competi¬ 
tive  advantage  will  be  determined  by 
how  weli  we  manage  our  technology.  To 
do  that  weli,  we  need  a  strategist. 


Vendor  management  is  one  of  the  CIO’s 
core  competencies.  No  one  else  has  the 
knowledge  to  do  it  as  well. 


the  former  CIO  of  Pratt  &  Whitney  who 
recently  took  over  as  CFO  of  sister  com¬ 
pany  Sikorsky  Aircraft.  “But  you  don’t 
often  hear  of  IT  folks  leaving  for  a  stint  in 
procurement  or  finance.”  Yet  the  CIO’s 
responsibilities  cut  across  the  business  in 
ways  many  other  CXOs’  don’t. 

►  Teach  your  staff  to  be  businesspeople. 
CIOs  must  train  their  staffs — their  ulti¬ 
mate  representatives — to  get  to  know  the 
business.  “The  roles  are  changing,”  says 


Robinson.  “My  employees  used  to  say, 
‘I’m  not  an  insurance  person.  I’m  an  IT 
person.’  Now  I  tell  them,  ‘You  need  to  be 
an  insurance  person.’” 

►  Make  the  numbers  tell  the  story  you 
want.  CIOs  need  to  show  the  business 
that  their  departments  are  more  than 
money  pits.  “On  more  days  than  not,  IT 
is  a  huge  cost.  The  business  sees  one  big 
number,  and  it’s  pretty  substantial,”  says 
Robinson.  To  soften  the  blow,  he  divides 
IT  costs  by  the  number  of  people  in  the 
company:  $1,700  per  employee  per  year 
sounds  a  lot  better  than  $2.6  million. 

“You  have  to  neutralize  the  whole  cost 
thing  any  way  you  can,”  Robinson  says. 

►  Work  those  relationships.  CIOs  need  to 
salvage  their  relationships  with  key  exec¬ 
utives,  especially  the  CEO.  “If  you  still 
have  some  connection  at  the  executive 
level,  you  need  to  work  to  keep  it,  almost 
like  a  married  couple  would  go  to  coun¬ 
seling  to  stay  together,”  Lutchen  says. 
“In  some  cases,  CIOs  are  doing  a  great 
job;  they’re  just  not  communicating  it 
effectively.  You  need  to  share  informa¬ 
tion  that  shows  real  business  value.” 

CIOs  who  are  fortunate  enough  to  report 
to  the  CEO  would  be  wise  not  to  bank  too 
heavily  on  that  fact.  Other  C-level  execu¬ 
tives  can  make  or  break  you  too.  Quish 
notes  that  she  once  had  a  great  relationship 
with  her  CEO  but  got  fired  anyway.  “Unfor¬ 
tunately,  I  didn’t  bother  with  my  peers,  and 
they  joined  forces  and  got  me  outplaced,” 
Quish  recalls.  “You  need  access  to  the  entire 
executive  team.  And  the  best  way  to  do  that 
is  to  be  a  key  component  of  their  projects, 
provide  advanced  warnings  of  problems, 
recommend  solutions  and  speak  in  business 
language — not  technology.  Then  they’ll  actu¬ 
ally  want  you  involved.” 

If  there’s  no  official  relationship  with  the 
CEO,  CIOs  should  create  one,  unofficially. 
“I  report  to  the  CFO,”  says  Fields.  “But 
when  the  CEO  has  a  meeting  or  get- 
together,  I’m  there.  A  lot  of  times,  I’m  the 
only  person  there  who  doesn’t  report  to  the 
chairman.”  Fields  never  makes  a  point  of 


THE  ARGUMENTS  AGAINST 
DUMBING  DOWN 


IT  is  a  cost  center.  Therefore  the  CIO  CFOs  think  in  terms  of  quarterly  earn- 

should  report  to  the  CFO.  ings.  IT  is  best  managed  as  a  long-term 

investment. 


And  finally: 

“There’s  no  asset  more  important 
than  a  company’s  data.  You  can’t  give 
that  responsibility  to  someone  who 
doesn’t  know  how  to  handle  it.” 


how  to  handle  it.” 

-CIO  MALCOLM  FIELDS,  HON  INDUSTRIES 


74  CIO  OCTOBER  15,  2003  •  www .  c/'o .com 


a  higher  standard 

highly  managed 
from  data  return 


Demand  a  higher  return  on  your  hosting  investment.  More 
than  350  companies  around  the  world  look  to  Data  Return 
to  run  their  mission-critical  business  applications  with 
unparalleled  levels  of  availability,  performance  and  scalability. 
Our  change  management  system,  intelligent  performance 
analysis,  custom  application  support  and  scalability  services 
ensure  your  applications  will  run  well  today  and  are  ready  for 
tomorrow.  Enterprise  managed  hosting  has  been  our  sole 
focus  for  more  than  six  years,  so  we're  as  serious  about  the 
success  of  your  application  as  you  are. 


build  intelligently,  change  cautiously,  monitor  perceptively,  resc  rapidly. 


DATA  RETURN  Highly  Managed  Hosting 


Microsoft 


www. datareturn.com 


©  2003  Data  Return,  LLC.  All  Rights  Reserved.  Data  Return  and  Highly  Managed  Hosting  are  trademarks  of  Data  Return,  LLC.  All  other  trademarks  are  property  of  their  respective  owners. 


Cover  Story 


The  CIO  Role 


that  fact  other  than  to  make  a  joke  about 
it.  But  he  knows  that  the  day  he’s  no  longer 
there,  he  could  be  on  his  way  out.  And 
that’s  no  joke. 

NO  CIO?  YOU  DON’T 
WANT  TO  GO  THERE 

nee  CIOs  regain  credibility,  they 
can  argue  against  the  weakening 
of  the  CIO  role  from  a  position 
of  strength.  And  the  case  to  be 
made  is  powerful. 

Former  Williams-Sonoma  CIO  Brownell 
says  CIOs  need  to  make  it  clear  that  the  cost 
of  handing  the  responsibility  for  IT  over  to 
the  CFO  (a  reporting  situation  that’s  almost 


CIOs  should  make  it  clear  that  a  seat  for 
the  CIO  on  the  executive  committee  is  essen¬ 
tial  to  the  successful  implementation  of  any 
IT  strategy.  Eighty-three  percent  of  CIOs 
identified  as  best  practitioners  said  serving 
on  the  executive  committee  was  critical  to 
their  effectiveness,  according  to  the  2003 
“State  of  the  CIO”  survey.  “When  you’re 
not  actively  involved,  there’s  a  lot  of  infor¬ 
mation  you  don’t  have  access  to  that  affects 
IT,”  says  Cashman  CIO  Glassen.  “You  end 
up  with  departments  going  out  on  their  own 
and  finding  their  own  solutions.” 

At  Cashman,  the  sales  department  decided 
it  needed  CRM  software,  negotiated  a  deal 
by  itself,  and  Glassen  knew  nothing  about  it 


“You  need  a  CIO  because  you  have  to 
have  someone  to  translate  between  IT  and 
the  business,”  Glassen  says.  “If  they  view  IT 
as  a  commodity,  we’ll  have  everyone  buy¬ 
ing  their  own  thing  like  we  did  10  years  ago, 
and  we’ll  end  up  with  systems  that  don’t 
talk  to  each  other.  A  CIO  is  necessary  to 
bring  coordination  and  focus.” 

Finally,  the  line  of  reasoning  that  says, 
“Hey,  we’re  outsourcing  it  all  anyway?  We 
don’t  need  a  CIO,”  is  fallacious  on  the  face  of 
it.  “One  of  the  key  roles  of  the  CIO  has 
always  been  vendor  management,  and  that’s 
going  to  be  even  more  important  going  for¬ 
ward,”  says  Fields.  “The  more  you  outsource, 
whether  you  have  people  jumping  to  India  or 


never  set  up  for  any  other  CXO)  can  be 
high.  “In  the  past,  I’ve  had  the  CFO  say  to 
me,  ‘Can  you  stop  working  on  this  thing  for 
the  next  three  months?”’  Brownell  recalls. 
“Every  time  we  stop,  we  lose  20  percent  to 
30  percent  of  the  work  we’ve  done,  and  we 
have  to  start  all  over  from  scratch.” 

Sikorsky  Aircraft  CFO  Longo  enthusias¬ 
tically  supports  a  policy  that  requires  his 
company’s  CIO  to  report  straight  to  the  top. 
“They  asked,  Should  the  new  CIO  report  to 
you  now?”  says  Longo.  “But  I  believe  the 
IT  function  should  not  sit  in  the  back¬ 
ground.  It  should  be  at  the  table  with  other 
key  support  functions  like  finance,  like  HR. 
Out  of  all  of  them,  IT  has  the  most  potential 
to  change  the  business.” 


Talk  Amongst  Yourselves 


Is  your  own  role  changing?  Worried  about  it? 
Share  your  reactions  with  your  fellow  CIOs 
when  you  ADD  A  COMMENT  at  the  end  of 
this  article  online.  How  are  you  rolling  with 
the  punches,  or  are  you  throwing  your  own? 

cio.com 


until  the  department  came  to  him  and  said, 
“Oh,  by  the  way,  we  need  this  many  laptops, 
this  customization,  this  many  days  of  train¬ 
ing,”  Glassen  recalls.  As  a  result,  his  staff  of 
seven  was  completely  overloaded.  Scheduled 
maintenance  work  and  upgrades  had  to  be 
put  on  hold,  and  six  months  later,  his  staff  is 
only  now  getting  back  on  track. 

The  irony  is  that  many  companies  are 
weakening  the  CIO  position  at  precisely  the 
time  when  the  skillful  and  strategic  man¬ 
agement  of  IT  resources  matters  most.  As 
many  technology  experts  argue  (see  “Why 
IT  Really  Does  Matter,”  by  Michael  Schrage 
at  www.cio.com/printlinks),  it  is  technology 
management  that  confers  competitive 
advantage,  not  technology  itself.  Hire  some¬ 
one  who’s  not  up  to  that  task,  and  you  jeop¬ 
ardize  your  marketplace  advantage. 

“A  good  IT  shop  and  a  CIO  can  be  part  of 
a  company’s  competitive  advantage  if  they’re 
closely  tied  to  the  business  and  help  it  improve 
processes  faster  than  their  competitors.  In  fact, 
most  competitive  advantages  have  an  FT  com¬ 
ponent  today,”  says  Fields  of  Hon. 


whatever;  the  more  you  have  to  be  on  top  of 
everything.  If  that’s  what  a  company’s  going 
to  do,  they  need  a  really  good  CIO,  and  they 
need  to  make  the  CIO  position  even  more 
important.  In  general,  the  business  just 
doesn’t  understand  the  kind  of  risk”  you  have 
to  manage  when  you  outsource. 

That’s  the  heart  of  the  problem,  and  the 
most  powerful  argument  of  all.  CIOs,  or 
anyone  in  that  position,  manage  an  incred¬ 
ible  amount  of  business  risk.  Even  when  it 
comes  to  highly  commoditized  IT  services, 
such  as  keeping  a  network  up,  one  small 
mistake  can  cost  a  company  millions. 

“There’s  no  asset  more  important  than  a 
company’s  data,”  Fields  says.  “You  can’t 
give  that  responsibility  to  someone  who 
doesn’t  know  how  to  handle  it.  That  doesn’t 
argue  for  dumbing  down  the  CIO  role. 

“It  argues  for  making  it  even  more  impor¬ 
tant  and  keeping  the  seat  at  the  executive 
table  permanently.”  HE! 


You  can  reach  Senior  Writer  Stephanie  Overby  at 
soverby@cio.com. 


76  CIO  OCTOBER  15,  2003  •  www.cio.com 


'mmm 


CIO  who  discovers  that  his 
expensive  new  integration 
system  needs  yet  another 
integration  system. 


Data  has  a  funny  habit  of  getting  itself  trapped  inside  functional  silos.  But  you  need  the  right  technology  if  you  want  to  get  it  out.  Our  exteNd™  family  of 
web  service  solutions  lets  you  liberate  information  and  get  it  to  everyone  who  needs  it.  That  means  Marketing  can  learn  things  from  Operations.  And  Sales  can 
share  what  it  knows  with  R&D.  Even  when  the  systems  and  applications  aren't  naturally  compatible.  And  the  more  sharing  that  goes  on,  the  more  productive  and 
profitable  you  are.  To  find  out  how  our  team  of  experienced  consultants  and  partners  can  help  improve  the  flow  of  information  at  your  company,  call  us 
at  1-800-214-3500  or  visit  http://www.novell.com/extend.  @  we  speak  your  language. 


©2003  Novell,  Inc.  All  rights  reserved.  Novell  is  a  registered  trademark  and  exteNd  is  a  trademark  of  Novell,  Inc.,  in  the  United  States  and  other  countries. 


Novell 


It’s  easy  to  send  your  applications  offshore. 
It’s  harder  to  get  something  back. 


ILLUSTRATION  BY  JOHN  WEBER 


Security 


THE  STATE  OF 


n 


The  State  of  Information  Security  2003” 
survey  covered  six  continents,  54  countries 
and  included  more  than  7,500  respondents. 

What  emerged  is  a  portrait  of  a  new  discipline 
taking  baby  steps  toward  defining  norms  and 
developing  best  practices. 

BY  SCOTT  BERINATO 
WITH  RESEARCH  EDITOR 
LORRAINE  COSGROVE  WARE 


The  best  place  to  start  with  “The  State  of  Information 
Security  2003,”  a  comprehensive,  exhaustive  survey 
of  global  securit 
partnership  wit 
with  what  it  doesn’t  include. 


nvw.T/o.com^k  OCTOBER  15,  2003  CIO 


7  9 


Security 


It  doesn’t  include  any  revelation  that  will 
make  you  slap  your  forehead  and  exclaim, 
“Oh,  that’s  what  I  should  do!” 

Nowhere  in  its  pages  will  you  find  The 
Answer,  because  The  Answer  is  a  fiction, 
even  if  the  problem — how  to  know  if  you’re 
making  your  enterprise  as  safe  as  possible 
as  efficiently  as  possible — is  not. 

What  this  survey  does  include  in  its  depth 
(7,500-plus  respondents)  and  intricacy 
(44  questions  cross-tabulated  by  company 
size,  security  budget,  geographical  region 
and  dozens  of  other  categories),  is  a  profile 
of  the  imperfect  and  evolving  world  of  infor¬ 
mation  security.  (You  can  view  the  entire 
survey  at  www2.cio.com/research  and  sig¬ 
nificant  slices  of  it  beginning  on  Page  86.) 

According  to  the  survey,  you’re  just  begin¬ 
ning  to  appreciate  information  security  as  an 
ongoing  discipline.  You  understand  that 
establishing  good  security  practices  will  be 
hard  and  will  involve  a  complex  integration 
of  technology,  education,  risk  analysis  and 
regulation. 


You  know  you  need  to  do  more,  but  the 
survey  indicates  that  you’re  not  yet  doing  it. 

In  one  sense,  you  can  hardly  be  blamed 
for  temporizing.  As  the  survey  shows,  right 
now  information  security  is  a  confused  and 
paradoxical  business.  For  example: 

■  You’ve  increased  spending  significantly, 
and  yet  that  investment  has  had  no  measur¬ 
able  impact  on  security  breaches. 

■  You’re  constantly  warned  about  digital 
Pearl  Harbors,  yet  the  vast  majority  of 
reported  incidents  are  relatively  small. 

■  You’re  told  aligning  security  and  busi¬ 
ness  strategies  should  be  a  top  priority,  and 
yet  those  who’ve  fared  best  avoiding 
breaches,  downtime  and  security-related 
damages  are  the  least  likely  to  be  aligned. 

All  this  may  be  out  of  your  enterprise’s 
control.  However,  in  other  areas,  informa¬ 
tion  executives  seem  to  be  contributing  to 
the  confusion.  For  example: 

■  Respondents  who  suffered  the  most 
damages  from  security  incidents  were  twice 
as  likely  as  the  average  respondent  to  plan 


on  decreasing  security  spending  in  the  com¬ 
ing  year. 

■  Those  same  respondents  were  nearly  half 
as  likely  to  list  staff  training  as  a  priority. 

In  short,  the  survey  shows  that  as  much 
as  the  information  security  discipline  has 
grown  since  its  baptism — on  Sept.  18,  2001 
(one  week  after  the  terrorist  attacks  and  the 
day  the  Nimda  worm  hit) — it  hasn’t  much 
improved. 

However,  what’s  crystal  clear  is  that  con¬ 
fidence  in  security  correlates  to  better  secu¬ 
rity.  In  other  words,  enterprises  that  believe 
they’re  doing  better  are  doing  better. 

What  follows  are  five  selected  views  of 
“The  State  of  Information  Security  2003.” 
Each  view  provides  insight  into  some  aspect 
of  this  complex  new  discipline,  including  an 
innovative  method  for  benchmarking  secu¬ 
rity  spending. 

You  may  not  find  The  Answer  here,  but 
you  will  find  data  and  lots  of  it.  And  there’s 
no  question  that  that’s  what  you  need  to  start 
improving  your  information  security. 


Survey  Methodology 


“THE  STATE  OF  INFORMATION  SECURITY  2003,”  a  worldwide 
study  by  CIO  magazine  and  PricewaterhouseCoopers,  was  con¬ 
ducted  online  from  April  15  through  July  7, 2003.  Readers  of 
CIO,  CSO  magazine  (a  sister  publication  to  CIO )  and  clients  of 
PricewaterhouseCoopers  from  around  the  globe  were  invited 
via  e-mail  to  take  the  survey.  The  results  are  based  on  the 
responses  of  7,596  CEOs,  CFOs,  CIOs,  CSOs,  and  vice  presi¬ 
dents  and  directors  of  IT  and  information  security  from  54 
countries.  The  margin  of  error  is  1.1  percent. 

The  study  represents  a  broad  range  of  industries,  including 
computer-related  (14  percent),  government  (9  percent),  con¬ 
sulting  and  professional  services  (8  percent),  financial  services 
and  banking  (8  percent),  noncomputer  manufacturing  (8  per¬ 
cent),  and  education  (7  percent). 

One-quarter  of  the  respondents  were  IT  executives,  while 
16  percent  were  information  security  professionals.  Fifteen  per¬ 


cent  of  those  surveyed  held  CEO,  CFO  or  non-IT  directortitles, 
and  19  percent  were  network  administrators.  Twenty-one  per¬ 
cent  listed  “other.” 

Forty-two  percent  of  the  executives  surveyed  reported  total 
annual  sales  of  less  than  $100  million,  while  18  percent 
reported  sales  between  $100  million  and  $999.9  million. 

Twenty  percent  of  the  survey  base  said  their  organizations’ 
annual  sales  exceeded  $1  billion,  and  20  percent  were  nonprofit 
organizations  and  therefore  did  not  report  annual  sales. 

When  asked  about  company  size,  28  percent  said  their  organi¬ 
zations  had  less  than  100  employees,  and  31  percent  had  between 
100  and  1,000  employees.  Nineteen  percent  of  the  survey  respon¬ 
dents  reported  between  1,000  and  5,000  employees,  and  21  per¬ 
cent  had  more  than  5,000  employees.  (Numbers  may  not  add  up 
to  100  percent  due  to  rounding.) 

-Lorraine  Cosgrove  Ware 


80  CIO  OCTOBER  15,  2003  •  www.cio.com 


©2003  Hewlett-Packard  Development  Company,  l.P 


Confessions  of  the  World's  Most  Demanding  CIOs. 


We  cannot  hanc 
up  on  the  world 


"Customers  expect  us  to  stay  up  and  running,  no  matter  what. 

"And  that's  exactly  what  Sprint  expects  from  an  IT  system.  Away 
to  manage  and  monitor  every  single  call  and  data  transaction, 
even  when  there's  a  staggering  40,000  per  second. 

"Working  right  alongside  our  own  technicians,  HP  designed 
a  continuity  solution  that  made  us  fail-safe,  especially  at  our  most 
stratospheric  volumes.  The  entire  solution  was  implemented  within 
our  existing  architecture  and  within  a  strict  budget. 

"The  role  of  IT  in  my  business  is  utterly  clear:  It  has  to  ensure 
we  always,  always  pick  up  when  the  world  calls." 

-Kathryn  Walker ,  Sr.  VP,  Network  Services,  Sprint  Corp. 
Sprint  demands  more  from  IT  and  HP  makes  sure  they  get  it. 


everything  is  possible 


www.hp.com/go/demandmore 


Security 


The 

Confidence 

Correlation 

THOSE  WHO  ARE  very  confident  in  their 
security  have  a  stronger  security  infrastruc¬ 
ture  in  place,  and  they  spend  more  on  secu¬ 
rity  as  a  percentage  of  their  IT  budget. 


PROFILES  IN  CONFIDENCE 

How  confident  are  you  that  your 
organization's  information  security 
activities  are  effective? 


confident 


The  more  security  infrastructure 
you  create,  the  more  confident 
you’re  likely  to  be. 


OF  THE “VERY 
CONFIDENT" 
GROUP 

OF  THE 
“NOT  AT  ALL 
CONFIDENT" 
GROUP 

Information  security  is 
audited  by  a  group 
outside  IT 

49% 

29% 

Security  reports 
outside  of  IT 

32% 

17% 

Security  committee 
is  responsible  for 
setting  policy 

27% 

12% 

Infosec  budget  as  a 
percentage  of  overall 
iT  budget 

14% 

7% 

Security  reports  to 
CSO/security  committee 

13% 

5% 

Security  committee  sets 
spending  levels 

8% 

3% 

WHAT  THE  NUMBERS  MEAN 

Structure  and  dedicated  resources  breed  con¬ 
fidence.  And  confidence,  experts  say,  breeds 
better  security.  In  a  sea  of  data  that  fails  to 
reveal  relationships  between  security  and 
best  practices,  the  confidence  factor  is  a  wel¬ 
come  sight. 

The  respondents  who  describe  themselves 


as  very  confident  in  their  organizations’  secu¬ 
rity  (24  percent)  can  be  called  security  lead¬ 
ers.  That  group  has  created  far  more 
structure  around  security  within  the  organi¬ 
zation  than  the  group  that  describes  itself  as 
less  confident.  They’ve  hired  more  security 
executives  and  given  those  executives  more 
control  over  policy,  spending  and  personnel. 

Another  key  point:  The  more  confident 
a  company  is  in  its  security,  the  less  likely 
that  security  goes  through  the  IT  depart¬ 
ment.  Many  in  the  security  world  believe 
that  IT’s  control  of  information  security  has 
been  a  limiting  factor  in  improving  infor¬ 
mation  security. 

For  example,  if  the  CIO  is  responsible  for 
both  the  CRM  implementation  (which  he’s 
been  told  to  get  done  for  $2  million  in  one 
year)  and  information  security  (which  will 
add  both  time  and  money  to  the  project), 
which  charge  will  get  his  attention  and 
which  will  get  short  shrift? 


The  more  confident 
a  company  is  in 
its  security,  the  less 
likely  that  security 
goes  through  the 
IT  department. 


Bill  Spernow,  former  director  of  IT  for 
the  Georgia  Student  Finance  Commission, 
says  the  first  thing  he  did  when  he  got  his 
job  was  fight  for,  and  win,  independence 
from  the  IT  department.  “If  I  see  an  organ¬ 
ization  where  the  CISO  reports  to  some  IT 
component,  I  see  a  position  that’s  not  work¬ 
ing,  guaranteed,”  says  Spernow.  “The  con¬ 
flict  of  interest  is  just  too  much  to 
overcome.  Having  the  CISO  report  to  IT, 
it’s  a  deathblow.” 

TO  DO: 

1.  Create  structure  around  information 
security  by  hiring  a  CSO  or  creating  an 
executive  security  committee. 

2.  Remove  information  security  from  the 
purview  of  the  IT  department. 


The  Per  Capita 
Benchmark 

DIVIDING  EMPLOYEES  by  security  budget 
reveals  some  surprising — and  erratic — 
spending  habits.  But  even  here  the  confi¬ 
dence  correlation  is  clear. 


SECURITY  SPENDING  PER 
EMPLOYEE  For  a  new  perspective  on 
spending,  simply  divide  your  infosec 
budget  by  number  of  employees. 

Energy  utilities  $7,022 


Information  security  consultant 

2,268 

Software 

1,899 

New  media 

1,885 

Computers/networking 

1,841 

Government 

1,797 

Consumer  goods 

1,298 

Distributor 

1,297 

E-commerce 

1,252 

Other 

1,229 

Telecommunications/ISP 

1,211 

Broadcast/cable 

1,115 

Consulting/professional  services 

1,110 

Biotech/biomedical 

1,057 

Aerospace 

780 

Semiconductors 

757 

Insurance/HMOs 

706 

Financial  services/banking 

693 

Media/entertainment 

587 

IT  vendors 

586 

Health  care/medical 

548 

Logistics/transportation 

484 

Electronics 

481 

Utilities 

474 

Food/beverage 

423 

Industrial  products 

419 

Nonprofit 

415 

Education 

414 

Real  estate 

394 

Agriculture 

385 

Hospitality/travel/leisure 

350 

Petroleum 

311 

Publishing 

237 

Venture  capital 

228 

Manufacturing/industrial  (noncomputer)  226 

Automotive 

220 

Chemicals 

184 

Construction/engineering 

184 

Pharmaceutical 

152 

Retail/consumer  goods 

144 

Metals/natural  resources 

106 

WHAT  THE  NUMBERS  MEAN 

The  per  capita  security  spend — the  informa¬ 
tion  security  budget  divided  by  the  number  of 
employees — provides  a  benchmark  with 


82  CIO  OCTOBER  15,  2003  •  www.cio.com 


©2003  Hewlett-Packard  Development  Company,  L.R 


Confessions  of  the  World's  Most  Demanding  CIOs. 


"FedEx  is  global  in  a  big  way,  and  we  need  the  tools  to  manage 
a  network  that  reaches  every  corner  of  the  planet  — systems  to  monitor 
flights  to  over  200  countries,  track  nearly  6  million  packages  a  day  and 
power  fedex.com.  Total  control  is  critical.  Being  on  time  is  everything. 

"HP  prescribed  the  perfect  management  solution  using  HP 
OpenView.  Now  we  oversee  data  centers  in  far-flung  places,  all  from 
key  central  locations.  And  we  can  automate  workload  balancing  and 
boost  support  to  hotspots  before  problems  affect  customers— whatever 
the  hardware  or  platform. 

"This  lets  our  IT  personnel  focus  on  running  the  business  smoothly 
and  decreases  costs  in  a  major  way.  No  pun  intended,  but  HP 
really  delivered." 

-Robert  Carter,  CIO,  FedEx 


f 

www  hp  com/go/dema n dmo re 

invent 


Security 

which  a  company  can  compare  itself  within 
its  own  industry  and  across  industries,  regard¬ 
less  of  company  size.  It  can  also  show  how 
spending  per  employee  varies  geographically. 
This  is  a  simple  but  powerful  metric. 

Impulsively,  you  might  use  the  spectrum 
to  see  if  your  spending  is  normal.  But  while 
there  is  an  overall  average  spending  level 
($964),  there’s  nothing  normalized  about  a 
range  that  goes  from  as  little  as  $100  per 
employee  to  well  into  the  thousands. 

Many  factors  could  account  for  this.  In 
some  industries,  the  consequences  of  vul¬ 
nerability  are  exponentially  greater,  even  if 
personnel  requirements  are  not.  Energy  util¬ 
ities,  for  example,  are  exquisitely  sensitive 
to  what  could  happen  if  their  security  were 
to  be  breached,  and  the  data  from  72  energy 
respondents  yielded  an  average  security 
spend  per  capita  of  a  little  more  than 
$7,000.  On  the  other  hand,  automobile 
manufacturers  may  have  less  at  risk.  Their 
per  capita  spend  came  in  at  $220. 

Very  confident 
companies  spent 
nearly  two  and  a  half 
times  more  per  capita 
than  those  companies 
that  lacked  confidence. 


Despite  the  lack  of  a  norm,  the  confi¬ 
dence  correlation  shows  up  here  too,  and 
starkly.  The  very  confident  companies  spent 
nearly  two  and  a  half  times  more  per  capita 
than  those  companies  that  lacked  confidence 
and  one  and  a  half  times  as  much  as  the 
overall  average.  (Interestingly,  the  6  percent 
of  respondents  who  said  they  were  unsure 
how  confident  they  were  spent  just  $585  per 
capita,  even  less  than  the  least  confident.) 

TO  DO: 

1.  Try  the  per  capita  security  expenditure 
calculation. 

2.  Compare  your  per  capita  expenditure  to  the 
average  in  your  industry,  and  to  the  very 
confident  and  not  very  confident  groups. 


Brushfires,  Not 
Conflagrations 

MAJOR  SECURITY  BREACHES  are  the  excep¬ 
tion,  not  the  rule.  Most  security  incidents 
lasted  less  than  a  day,  cost  less  than  $10,000, 
and  most  companies  had  10  or  fewer  of 
these  events  in  the  past  year. 


FEW  ATTACKS  The  vast  majority  of 
companies  dealt  with  fewer  than  10 
attacks  per  year.  (Number  of  negative 
security-related  events.) 


None 


LITTLE  DOWNTIME  In  the  rare  event  of 
a  breach,  downtime  was  usually  limited 
to  less  than  24  hours. 

More 
than 
1  day 


Iday 
or  less 


MINIMAL  DAMAGES  Only  14  percent 
of  attacks  cost  more  than  $10,000. 


WHAT  THE  NUMBERS  MEAN 

“Terrorists  Shut  Down  Power  Grid.”  “Hack¬ 
ers  Cripple  Allied  Inc.”  Both  plausible  head¬ 
lines — or  lines  from  security  consultants  trying 
to  sell  their  services.  But  the  survey  data  shows 
that  information  executives  are  not  being  con¬ 
fronted  by  events  of  that  magnitude.  They’re 


dealing  instead  with  lots  of  brushfires. 

The  question  then  becomes:  Are  the  big 
bang  incidents  rare  because  you’ve  protected 
your  enterprise  well?  Are  the  little  hacks 
common  because  you  haven’t  done  a  good 
job  protecting  against  them?  Or  are  the  big 
ones  rare  because  they’re  hard  to  pull  off 
and  you’re  simply  lucky  to  have  avoided 
them,  but  not  lucky  enough  to  have  avoided 
the  easier-to-execute  smaller  incidents? 

Howard  Schmidt,  vice  president  and 
CISO  of  eBay  (and  former  special  adviser  to 
the  White  House  for  cyberspace  security), 
thinks  the  prevalence  of  little  bangs  every¬ 
where  does  not  suggest  that  business  has 
done  a  good  job  steeling  itself  against  major 
attacks.  Instead,  he  sees  a  severe  lack  of  dis¬ 
cipline  everywhere. 

“If  anything,  the  more  you  take  care  of 
the  little  stuff,  the  less  likely  someone  will 
be  able  to  pull  off  a  big  attack,”  says 
Schmidt.  “I  see  it  all  the  time.  Companies 
are  always  pushing,  ‘Let’s  just  open  this  one 
little  port.’  Then  next  thing  you  know,  they 
want  another  port  and  another.  And  that 
leads  to  all  these  vulnerabilities  that  turn  into 
little  brushfires.  No  one  draws  the  line  and 
says  no.  Instead  of  creating  a  culture  of  secu¬ 
rity,  we’re  often  creating  a  culture  of  getting 
around  security.” 

The  encouraging  message  buried  in 
Schmidt’s  commentary  is  that  in  order  to 
mitigate  the  problem,  little  if  any  additional 
technology,  spending  or  other  resources  are 
really  required.  All  that’s  required  is  some 
discipline — someone  to  draw  the  line  and 
say  no. 

The  other  matter  to  deal  with  here  is  the 
high  percentage  of  respondents  (40  percent) 
who  indicated  that  they  were  unsure  of  their 
losses.  This  probably  can  be  attributed  to 
the  fact  that  security  is  still  a  young  disci¬ 
pline.  If  it  wasn’t  money  that  was  lost, 
respondents  simply  don’t  know  how  to  cal¬ 
culate  the  cost  of  losing  intellectual  prop¬ 
erty,  or  some  part  of  a  company’s  reputation, 
or  even  downtime. 

So  they  don’t  try.  This  is  a  function  of 
information  security’s  immaturity,  a  trait  that 
will  reappear  in  the  next  cut  of  data.  If  com- 


84  CIO  OCTOBER  15,  2003  •  www .cio .com 


PRIM  AVER  A 


Your  job  has  moved  beyond  just  technology — you 
need  to  embrace  your  company's  overall  business 
objectives.  Primavera  can  help.  For  20  years,  we've 
been  working  toward  the  ultimate  project  portfolio 
management  solution. 

Our  software  helps  you  prioritize  your  entire  project 
portfolio,  so  you  can  optimize  people,  projects,  and 
processes  to  stay  focused  on  business  goals. 


We  saved  a  Fortune  1 00  company  $1  5  million 
in  nine  months.  How  much  can  we  save  you? 

To  estimate  your  company's  potential  savings  with 
our  convenient  online  ROI  Calculator,  visit: 

www.primavera.com/ppm 

/  JP 

^  i 


You  did  everything  right,  but... 


If  your  IT  spending  isn't  aligned  with  the  business  strategy, 

you've  failed  the  company. 


Security 


panies  can’t  calculate  the  cost  of  a  breach, 
it’s  highly  unlikely  that  they’re  even  trying  to 
create  a  formula  for  figuring  security  ROI. 


TO  DO: 

1.  Refocus  a  security  program  so  that 

it  takes  into  account  the  smaller,  more 
frequent  threats  as  well  as  “the  sky  is 
falling”  threats. 

2.  Assign  a  disciplinarian,  and  vigilantly 
enforce  security  rules. 

Still  Reactive 
After  All  These 
Fears 

DESPITE  EXPERTS  PREACHING  about  risk 
management  and  treating  security  proac¬ 
tively,  security  is  still  largely  justified  by  fear 
and  government  regulation. 


FEAR  DRIVES  SPENDING  Howare 
security  investments  justified  in  your 
company?  (Respondents  could  check 
all  that  apply.) 

REACTIVE  FACTORS 

Liability/exposure _ 


69% 


Regulatory  requirements 


53% 


Revenue  impact 


40% 


PROACTIVE  FACTORS 


WHAT  THE  NUMBERS  MEAN 

No  matter  how  much  evangelizing  experts 
do  about  making  security  a  contributor  to 
the  bottom  line  and  measuring  its  ROI,  it’s 
still  easier  to  rely  on  scare  tactics  to  justify 
security  investments. 


More  Facts, 

a  Few  Surprises  and 


THE  UNITED  STATES  OF 
LITIGIOUSNESS  In  the  wake  of 
a  security  breach,  Americans  are  eager 
to  tell  lawyers  and  the  authorities,  and 
far  less  likely  to  inform  other  important 
parties— like  their  customers. 


Organizations  that  are  informed  of 
a  negative  security-related  event 

LEGAL  COUNSEL 


North  America 


50% 


Rest  of  world 


22% 


GOVERNMENT  AUTHORITIES 
(NATIONAL  OR  LOCAL) 


North  America 


38% 


Rest  of  world 


19% 


BUSINESS  PARTNERS/VENDORS/SUPPLIERS 


North  America 


25% 


Rest  of  world 


38% 


CUSTOMERS 

North  America 

Rest  of  world 


25% 

38% 


Americans  are 
eager  to  tell 
lawyers  and  the 
authorities  about 
security  breaches, 
but  Europeans  are 
more  likely  to  tell 
their  customers. 


THE  ROI  OF  FEAR  The  threat  of 
getting  sued  loosens  purse  strings 
more  than  any  other  factor— especially 
in  America. 

Percentage  of  companies  that  used 
liability  as  a  justification  for  security 
investments 


North  America 


EUROPE  THE  PRIVATE  Europe  sets 
the  gold  standard  for  privacy  practices. 


Percentage  of  organizations  that 
employed  a  chief  privacy  officer 


Europe 


31% 


Rest  of  world 


15% 


THE  ROAD  IS  SAFE,  THE  HOUSE  IS 

NOT  Data  is  rarely  stolen  when  it's  in 
transit.  In  fact,  it's  most  often  stolen 
from  its  place  of  storage.  Still... 

Percentage  of  companies 
that  encrypted  data 

During  transmission 


54% 


In  storage 


30% 


8  6  CIO  OCTOBER  15,  2003  •  www. cio.com 


the  Alignment  Paradox 


ALIGNMENT:  A  BAD  THING? 

Those  who  said  their  security 
practices  were  closely  aligned 
with  the  business  were  far  more 
likely  to  suffer  losses  and  downtimes 
than  those  who  said  security  was 
poorly  aligned.  Could  alignment  be 
code  for  compromising  security  in 
order  to  please  business  leaders? 

Percentage  that  said  security  is 
completely  or  closely  aligned  with 
business 

Those  with  $500,000+  damages 


57% 


Those  with  10+  days  downtime 


41% 


Those  with  50+  incidents 


54% 


Percentage  that  said  security  is  poorly 
aligned  or  not  aligned  with  business 


WIRELESS  DISCONNECT  There’s 
considerable  investment  in  wireless 
security... 

Do  you  use  wireless  security? 
Currently  employ  wireless  security 


20% 


Plan  to  use  wireless  security 


38% 


Under  consideration 


38% 


...although  it’s  among  the  least  likely 
ways  that  hackers  use  to  attack. 

For  those  who  were  hacked,  what  was 
the  method  of  attack? 

Mobile/wireless  intrusion 
1 5% 


Those  with  $500,000+  damages 


19% 


Those  with  10+  days  downtime 


20% 


STUPID  ABOUT  TRAINING  The 

greater  the  damages  from  breaches 
last  year,  the  less  likely  that  staff 
training  will  be  a  priority  next  year. 


V 


Those  with  50+  incidents 


16% 


THE  BIG  RETURN  ON  CORPORATE 
ESPIONAGE  The  more  damaging 
the  attack,  the  more  likely  a  corporate 
rival  is  involved. 

Percentage  that  said  a  competitor  was 
the  likely  source  of  a  security  breach 

Overall 


9% 


When  damages  totaled  $100,000  to  $500,000 


15% 


: 

When  damages  totaled  $500,000+ 


25% 


Percentage  that  named  "staff  training” 
a  top-three  priority  next  year 


Those  with  no  damages 


The  numbers  indicate  how  counterproduc¬ 
tive  that  is.  For  example,  the  low  percentage  of 
respondents  who  take  into  consideration  the 
security  requirements  of  their  partners  and 
vendors  means  that  they  aren’t  thinking  about 
security  as  an  external  networking  problem. 
Their  thinking  still  focuses  on  “How  will  a 
hacker  attack  me?”  and  not  “How  will  any 
given  hack  attack  reach  me?”  Also,  compa¬ 
nies  aren’t  demanding  that  their  partners  and 
vendors  meet  given  security  levels,  which 
would  make  interaction  safer. 

Covenant  Health  is  a  perfect  example. 
Covenant  Health  wasn’t  attacked,  but  the 
Slammer  worm  still  infected  the  five-hospital 
network  in  Knoxville,  Tenn.  It  slithered 
through  a  port  left  open  to  a  Covenant  serv¬ 
ice  provider.  That  provider  was  also  infected 
but  not  attacked;  the  worm  had  infected  the 
service  provider  through  a  port  left  open  to 
one  of  its  partners. 

To  spin  an  old  caveat:  When  you  connect 
your  network  with  a  partner,  you’re  also 
connecting  to  your  partner’s  partners.  Yet 
only  22  percent  of  respondents  demand  that 
partners  practice  safe  business. 

Covenant  Health  Senior  Vice  President 
and  CIO  Frank  Clark  learned  the  hard  way. 
He  now  demands  partners  meet  certain 
security  requirements  that  he  defines  before 
they’re  allowed  to  link  to  his  network.  “We 
now  make  them  specify  exactly  what  they 
want  access  to  and  what  ports  they  need,” 
he  says.  “What  we’re  finding  is  they  them¬ 
selves  have  a  hard  time  knowing  what  they 
need  access  to.”  Clark  hopes  the  corrective 
action  causes  a  domino  effect — that  by 
requiring  his  partners  to  meet  higher  security 
standards,  his  partners  will  require  their 
partners  to  do  the  same,  and  so  forth. 

TO  DO: 

1.  Pursue  metrics  and  business  justifica¬ 
tions  for  security.  Try  to  wean  yourself 
away  from  using  fear  to  justify  security 
investments. 

2.  Set  security  requirements  for  anyone 
connecting  to  your  network,  and  insist 
that  partners  and  vendors  meet  those 
requirements. 


www.cio.com  •  OCTOBER  15,  2003  CIO  87 


Security 


No 

Correlations 
and  Odd 
Correlations 

IT  IS  DIFFICULT  to  find  a  relationship  between 
good  security  and  spending.  And  sometimes 
there’s  even  an  inverse  relationship. 

Surprising: 

The  difference  in  spending  between  those 
companies  that  have 

■  0-50+  incidents 

■  0-10  days  of  downtime  and 

■  $0-$500,000  damages  in  the  last 
12  months 

never  varies  more  than  1.06  percent. 

Weird: 

Companies  that  suffered  more  than  a  half 
million  in  security-related  damages  were 
more  than  twice  as  likely  to  say  they  were 
cutting  their  security  spending  as  those  who 
suffered  no  damages.  Those  who  had  more 
than  50  incidents  and  those  who  had  more 
than  10  days  of  incident-related  downtime 
were  also  more  likely  to  decrease  spending 
than  those  who  reported  no  incidents  and 
no  downtime. 

WHAT  THE  NUMBERS  MEAN 

Since  company  size  (and  therefore  budgets) 
varies  so  widely  across  the  survey’s  more 
than  7,500  respondents,  the  relative  meas¬ 
ure  of  security  spending  as  a  percentage  of 
the  overall  IT  budget  provides  a  better 
comparative  measure  than  the  total  spent 
on  security. 

The  puny  single  percentage  point  between 
the  highest  spenders  and  lowest  spenders 
shows  that  those  suffering  fewer  security 
incidents  didn’t  necessarily  spend  more  to 
stay  secure.  Or,  conversely,  those  that  were 
hardest  hit  didn’t  spend  any  less  than  those 
untouched. 

So  you  can’t  accuse  the  companies  that 
suffered  breaches  of  not  spending  enough. 


But  perhaps  they  didn’t  spend  well.  The 
hardest  question  for  IT  security  officers  to 
answer  clearly  isn’t,  “How  much  should  we 
spend?”  but  rather,  “Where  and  how  should 
we  spend?” 

The  answer:  Probably  not  on  technology. 

Security  expert  Bruce  Schneier  of  Coun¬ 
terpane  Internet  Security,  and  author  of 
Beyond  Fear:  Thinking  Sensibly  About  Secu¬ 
rity  in  an  Uncertain  World,  believes  that 
technology  has  been  hamstrung  in  its  ability 
to  protect  companies  because  it  hasn’t  been 
matched  by  security  awareness. 

“Most  of  the  time  security  problems  are 
inherently  people  problems,  and  technologies 
don’t  help  much,”  says  Schneier.  “Photo  IDs 
are  a  great  example.  Technologists  want  to 
add  this  and  that  technology  to  make  IDs 
harder  to  forge,  but  I  worry  about  people 
bribing  issuing  officials  and  getting  real  IDs  in 
fake  names.  [At  least  two  of  the  9/11  terror¬ 
ists  did  that.]  Technology  that  makes  the  IDs 
harder  to  forge  doesn’t  solve  that  problem.” 

Then  there’s  the  problem  of  companies 
not  using  the  technology  they  have  to  its  full 
potential. 

Seven  out  of  10  survey  respondents  used 
intrusion  detection  systems,  eight  of  10  used 
firewalls,  and  nine  of  10  used  antivirus  soft¬ 
ware.  But  only  50  percent  of  events  were 
detected  through  those  technologies  or 
through  security  service  providers  managing 
those  technologies  for  a  company.  The  other 
half  were  detected  the  harder  way — by  cus¬ 
tomers,  colleagues  or  the  news  media  alerting 
the  company  to  a  breach,  or  worse  yet,  to 
damages  the  event  caused. 

Companies  have  deployed  so  much  tech¬ 
nology,  and  have  generated  so  much  data  in 
the  form  of  log  files,  that  they  often  have 
given  up  trying  to  interpret  the  data.  The 
haystack’s  grown  too  big  to  look  for  nee¬ 
dles  in  it,  says  Andrew  Toner,  partner  in 
PricewaterhouseCoopers’  security  practice. 
“When  they  give  up,”  he  says,  “that’s  when 
breaches  happen.” 

Giving  up  is  one  way  to  explain  the  ten¬ 
dency  of  companies  that  were  hardest  hit  by 
hacks  to  cut  their  security  budgets.  Maybe 
these  companies  were  hard  hit  by  something 


else — the  economy — and  are  cutting  budgets 
across  the  board. 

But  it’s  just  as  likely  that  they’ve  decided 
that  the  money  they  did  spend  was  not  spent 
well.  Why?  Information  security  has  not,  for 
the  most  part,  adopted  risk  management  as 
a  philosophy.  It’s  still  treated  binarily:  Either 
we’re  safe  or  we’re  not.  Either  the  money 
we  spent  worked  or  it  didn’t. 

“People  think  in  terms  of  threats,  not  in 
terms  of  risk,”  says  T.  Sean  McCreary,  a  risk 
management  specialist  at  The  Motorists 
Insurance  Group  who  previously  served  as  a 
security  manager  and  safety  manager  at  two 
prisons.  “Risk  management  allows  you  to 
assemble  threats  into  some  order  or  impor¬ 
tance  so  the  available  funds  can  be  used 
most  effectively  to  prevent  and  prepare  for 
the  identified  risks.” 

So  why  haven’t  information  security  pro¬ 
fessionals  adopted  a  risk  management 
approach?  “Because  it’s  harder,”  McCreary 
says.  “It  takes  more  time  and  effort  and,  of 
course,  more  knowledge.” 

TO  DO: 

1.  Spend  for  education  and  risk  manage¬ 
ment  training  instead  of  technology. 

2.  Take  better  advantage  of  the  technology 
you  have  by  analyzing  the  data  it  gener¬ 
ates,  not  simply  viewing  the  technology 
as  a  tool  to  block  attacks. 

Why  No  One 
Hits  .400 
Anymore 

THE  LATE  EVOLUTIONARY  naturalist  Stephen 
Jay  Gould  contended  that  complex  systems 
(like  nature  or  information  security)  evolve 
from  wild  variation  in  their  youth  to  relative 
uniformity  in  maturity  while  maintaining  an 
overall  constant  average  in  both. 

To  make  his  point,  Gould,  as  was  his 
wont,  used  baseball.  In  Full  House:  The 
Spread  of  Excellence  from  Plato  to  Darwin, 
he  noted  that  throughout  the  history  of  the 


83  CIO  OCTOBER  15,  2003  •  www.cio.com 


The  Lowest  Total  Cost  of  Ownership. 

(Up  to  50%  less  than  other  color  printers  in  the  industry.  Source:  ARS,  Inc.) 


The  Kyocera  Mita  FS-C5016N  Color  Printer 

•  4.5<t  Per  Color  Page  (3-5^  Lower  Than  Industry  Avg.) 

•  17  ppm  Brilliant  600  DPI  Color 

•  Smallest  Desktop  Footprint  in  Industry 

•  Fully  Networkable  /  Embedded  Wireless 

•  Crisp  B&W  /  Below  Industry  Average  Cost 


kyoceramita.com/go5016 


Calculate  your  Total  Cost  of  Ownership 
T*  rco 
and  savings  with  our  I  racker 


The  New  Value  Frontier 

^l<y  DEERE 


mita 


KYOCERA  MITA  AMERICA,  INC. 

©2003  KYOCERA  MITA  AMERICA,  INC.  "PEOPLE  FRIENDLY"  AND  ALL  ELEMENTS  OF  THE  KYOCERA  MITA  LOGO  ARE  THE  TRADEMARKS  OF  KYOCERA  MITA. 

ARS  INC.  IS  A  GLOBAL  MARKET  INTELLIGENCE  FIRM  SPECIALIZING  IN  THE  DAILY  TRACKING  AND  ANALYZING  OF  PRINTERS  AND  IMAGING  PRODUCTS. 


game  the  aggregate  batting  average  of  major 
league  hitters  has  remained  constant  at 
about  .260  but  that  there  used  to  be  a  much 
higher  incidence  of  .400  hitters  than  there 
is  now.  In  fact,  the  .400  hitter  could  be  said 
to  be  extinct.  Ted  Williams  was  the  last 
player  to  hit  over  .400,  and  that  was  in 
1941.  Previously,  Ty  Cobb  and  Rogers 
Hornsby  each  did  it  three  times. 

How  come  no  one  hits  .400  anymore, 
despite  the  fact  that  hitters  are  stronger,  use 
better  equipment  and  have  access  to 
advanced  training  technologies  like  video? 
The  reason,  Gould  asserted,  is  because 
everything  has  improved  around  them, 
notably  pitching  and  fielding.  When  base¬ 
ball  was  young,  no  one  knew  the  optimum 
way  to  pitch  to  a  batter,  or  the  best  strategy 
for  positioning  fielders,  or  even  what  degree 
of  success  or  failure  was  of  professional  cal¬ 
iber.  But,  over  time,  data  has  been  assem¬ 
bled  and  analyzed,  and  best  practices  have 
emerged.  Everyone  gets  so  good  at  what 
they  do,  Gould  asserted,  that  it  becomes 
more  difficult  either  to  fail  or  to  excel. 

Information  security  in  2003  is  where  base¬ 
ball  was  in  1922,  a  year  in  which  three  play¬ 
ers  hit  over  .400,  many  hit  in  the  high  .300s, 
and  still  more  hit  in  the  .100s. 

Today,  there’s  wild  variation  in  how  well 
companies  secure  their  enterprises.  But  over 
time,  Gould  would  argue,  data  will  accrete, 
best  practices  will  emerge,  information  secu¬ 
rity  will  normalize,  and  everyone  will  move 
toward  the  mean. 

Until  then,  however,  some  companies  are 
Ty  Cobb,  and  many,  many  others  can’t  bat 
their  weight.  E3E1 


Senior  Editor  Scott  Berinato  can  be  reached  at 
sberinato@cio.com. 


Learn  More  About  the  Security  Survey 


For  a  wrap-up  of  the  full  "State  of  Information 
Security  2003"  C/O/PRICEWATERHOUSE- 
COOPERS  SURVEY,  go  to  www2.cio.com/ 
research.  Go  to  the  online  version  of  this 
article  to  find  our  Web  exclusive  INTERACTIVE 
SURVEY  MAP,  detailing  results  from  countries 
in  the  Americas,  Europe  and  Asia. 

cio.com 


The  Who 
&TheWhat 


Budgets,  breaches  and  best  practices.  A  broad 
view  of  the  security  landscape  as  revealed  in 
“The  State  of  Information  Security  2003.” 


BUMP  UP  THE  BUDGET  Most 
companies  are  increasing  spending, 
and  many  security  budgets  that  were 
under  $100,000  last  year  are  more 
than  $100,000  this  year. 

Compared  to  2002,  your  security 
budget  in  2003  will... 


Decrease 
a  little 


—  Decrease 
significantly 


Increase 
a  little 


Stay  the 
same — - 


30% 


STILL  UNDER  I.T.’S  THUMB 

Information  security  is  still  largely 
under  the  control  of  IT,  which 
devotes  11  cents  out  of  each  dollar 
it  spends  to  security. 

To  whom  does  your  security 
organization  report? 


IT 

CIO 

CEO 

CSO 


41% 


21% 


16% 


CF0  B°/o 

Other  12% 


Is  information  security  included  in  your 
company’s  IT  budget? 


Infosecurity  budget  2002  vs.  2003 


Less  than  $10,000 


39% 


29% 


$10,000  to  $99,999 


36% _ _ 


34% 


$100,000  to  $1M 


17% 


23% 


More  than  $1M 


8% 


13% 


2002 
■  2003 


Average  infosec  budget  as  a  percentage 
of  the  IT  budget  for  2003 


90  CIO  OCTOBER  15,  2003  •  www.cio.com 


escapes  clutches  of  desk 

eSC<»|»''  1>s,  rm  f„e,  thanks  to 


“At  last  I’m  free,  thanks  to 
Nokia  Mobile  Connectivity  ^ 

solutions...and  it  feels  great, 

exclaims  Mary  Langer, 
office  manager. 


Dincc  _ 

and  work  whenever  andho^  ; 

haPPy' “Tf  fSm." Workers  everywh 

f'S ^  Account  Managers  are  red 

from  CEOs  to  A  ^  ^  (he  thought  o 

Secure,  breakthrough  in  the 

Reliable,  working  Uves.  ^Mob, 

Freedom  an  ^  ,  can  make  be 

Flexibility  q{.  my  waiting  time  a 

V  •,  rFn  non  Baker,  “which 
airport,”  said  CEO,  Uon 

me  more  family  time  when  g 
me .  ..  Patteii,  was 


me  more  xamn,  was 

Even  sales  manage,,  °  les  tea 


Introducing  a  new  era  of  secure,  corporate  business  freedom 
and  flexibility  —  Nokia  Mobile  Connectivity  solutions. 


Employees  throughout  an  enterprise  want  to  be 
more  mobile  and  productive  —  and  this  can  be 
realized  thanks  to  Nokia  Mobile  Connectivity 
solutions.  CIOs  and  IT  managers  can  provide  the 
mobility  and  security  of  anytime,  anywhere 
access  to  users  —  while  empowering  everyone 
from  the  CEO  to  field  salesforce  teams  with  the 
information  needed  to  do  their  work  where  and 
when  they  choose.  Nokia  Mobile  Connectivity 
solutions  include  a  range  of  IPSec-  and  SSL- 
based  client  and  gateway  products  that  provide 


secure,  appropriate  access  to  corporate  email 
and  applications.  Enterprises  will  discover  new 
levels  of  efficiency  from  their  workforce,  while 
giving  them  greater  freedom  to  manage  their 
business  and  personal  lives.  All  solutions  are 
easy  to  deploy  and  manage,  are  based  on 
award-winning  technology  and  are  backed  by 
Global  Support  and  Services. 

So  if  you  want  greater  working  freedom 
that’s  IT  approved,  go  ahead  and  escape. 
Visitwww.nokia.com/mobileaccess/americas 


NOKIA 

Connecting  People 


E  3  £ 
o  c  -o 
c  t 
3  S  ~ 


Security 


The  Who 
&  The  What 


(continued) 


PLANS  FOR  INTEGRATION  Nearly 
half  of  the  companies  that  said  they 
integrated  information  security  and 
physical  security  were  combining  the 
two  via  policy. 

Is  physical  security  integrated  with 
IT  security  in  your  organization? 


FULL-TIME  HELP  More  than  half 
of  the  responding  companies  devote 
fewer  than  five  full-time  employees 
to  information  security. 


Total  salaried  employees  dedicated 
to  information  security 


5  to  9 


If  you  answered  yes,  how  are  physical 
and  IT  security  integrated  at  your 
company? 


My  organization  - 
has  an 
IT/physical 
security 
committee 


IT  and  physical  security 
policies/procedures  are 
integrated 


Both 
IT  and 
physical 
security 
departments 
report  to 
same 
exec 


WISHFUL  THINKERS 

10%  of  respondents 
believed  that  100% 
of  their  users  are  in 
compliance  with  their 
companies’  information 
security  policies,  while 
24%  neither  measured 
nor  reviewed  their 
security  policies. 


POLICY  HERE,  SPENDING  THERE 

For  the  most  part,  security  policy  and 
security  spending  are  controlled  by 
different  groups  or  individuals. 

In  your  organization,  who  is  responsible 
for  setting  security  policy  and  spending 
levels? 


CIO 


Head  of  infosec/IT 


CEO 


Security 

administrators 


Infosec  committee 


CSO 


CFO 


Business  unit  Ids; 
leader 


Consultant 


Other 


47%  Policy 
41%  Spending 


Policy 

Spending 


The  biggest  barrier  to  good  security, 
in  the  opinion  of  our  respondents? 
Why,  money,  of  course. 


9  2 


CIO 


OCTOBER  15,  2003  •  www .cio .com 


PROBLEMS  In  a  category  where 
they  could  check  all  that  apply, 
respondents  did  just  that  to  indicate 
the  outside  forces  that  make  their  jobs 
hard.  Of  course,  (lack  of)  money 
topped  the  list. 


What,  in  your  opinion,  presents  a 
barrier  to  good  security  measures 
in  your  organization? 


Limited  budget 


64% 


Lack  of  time  to  focus  on  security 


47% 


Lack  of  staff  dedicated  to  security 


39% 


Lack  of  security  training/awareness 


32% 


Lack  of  support  from  executive  management 


27% 


Complex  technology  infrastructure 


27% 


Unqualified  IT/security  staff 


24% 


Lack  of  cooperation  between  groups 


24% 


Poorly  defined  policy 


22% 


Lack  of  mature  tools/technology 


20% 


Poorly  designed  and/or  built  IT  infrastructure 


19% 


Lack  of  collaboration  between  physical  and 
information  security  teams 


14% 


BEST  PRACTICES— SECURITY 
POLICY  The  most  and  least 
common  best  policy  practices. 

My  organization  employs  the  following 
information  security  safeguards 

MOST  COMMON 

Have  formal  processes  for  business 
continuity/disaster  recovery 


65% 


Have  formal  processes  for  incident  response 


54% 


Have  a  process  for  evaluating  risks  and 
vulnerabilities  on  a  regular  basis 


49% 


LEAST  COMMON 

Information  security  reports  to  a  group  or 
individual  outside  of  IT 


24% 


Have  a  process  to  evaluate  ROI  for  security 
initiatives 


14% 


Developed  a  process  to  calculate  the  cost  of  a 
security  breach 


12% 


NEXT  YEAR’S  VAGUE  TO-DO  LIST 

The  priorities  for  next  year  were  the 
most  general  security  practices. 

Top  three  security-related  organizational 
priorities  for  next  year 

Raise  end  user  awareness  of  policy  and 
procedures 


55% 


Train  staff 


41% 


Develop  security  policies  and  standards 


35% 


BETTER  SECURITY  THROUGH 
SCIENCE  The  most  and  least 
commonly  deployed  security 
technologies. 

My  organization  employs  the  following 
tools  to  identify,  mitigate  and  address 
vulnerabilities 

MOST  COMMON 

Virus  detection 


93% 


User  passwords 


89% 


Network  firewalls 


82% 


LEAST  COMMON 

PDA  security 
|  9% 

Biometrics 
|  5% 

Testing  for  system  policy  compliance 
0% 


BEST  PRACTICES-PRIVACY  The 

most  and  least  common  best 
practices  employed  to  ensure  privacy. 

My  organization  employs  the  following 
data  privacy  safeguards 

MOST  COMMON 

Inform  employees  of  privacy  policy 
and  behavior 


75% 


Encrypted  transmission  of  data 


54% 


Role-based  access  control 


53% 


LEAST  COMMON 

Adoption  of  regulatory  requirements 


30% 


Third-party  assessment/verification 


24% 


Chief  privacy  officer/data  protection 
commissioner 


19% 


w\N\N.c'\o.corr\  •  OCTOBER  15,  2003  CIO  93 


•• 


m 


Tom  King,  CISC  of  Lehman  Brothers 
Holdings,  says  there  are  huge  benefits 
to  an  identity  management  system  that 
automatically  determines  what  kind  of 
access  each  employee  can  have  to  various 
trading  applications  and  databases. 


Identity  management  projects  promise  big  returns, 
but  be  prepared  for  long,  complex  implementations 


BY  BEN  WORTHEN 


TOM  KING,  CISO  of  Lehman  Brothers  Holdings,  had  what 
seemed  like  a  relatively  simple  idea.  If  his  company  could 
automatically  grant  access  to  financial  trading  applications 
from  a  central  provisioning  system  instead  of  on  an  app 
by-app  basis,  it  could  both  increase  the  efficiency  of  its 
workforce  and  keep  better  tabs  on  who  was  using  what 
applications.  It  soon  became  clear,  however,  that  setting  up 
such  a  system  was  merely  one  step  in  a  very  long  process. 

First,  King  had  to  develop  a  single  repository  for  identity 
information  within  the  company— he  had  to  know  who  the 

users  were  before  he  could  grant 
them  access  to  the  applications. 
And  each  application  would 
need  links  to  the  new  identity 
repository.  King  soon  found  him¬ 
self  mired  in  a  full-scale  identity 
managementproject 


Reader  ROI 

►  Why  IT  managers  are 
moving  ahead  with  identity 
management 

►  How  ID  management  can 
become  a  multiyear  project 

►  What  steps  to  take  before  you 
begin. ID.-tnanagement  projects 


Data  Management 

That  was  three  years  ago.  King  is  still  far  from  done.  “I  don’t  see 
an  end  to  it,”  he  says.  “There  are  literally  hundreds  of  applica¬ 
tions”  that  should  be  part  of  the  identity  system. 

So  why  bother  with  identity  management  at  all?  Because  the 
returns  can  be  impressive.  According  to  a  survey  of  more  than  7,500 
top  IT  execs  cosponsored  by  CIO  and  Price waterhouseCoopers,  the 
top  two  strategic  security  initiatives  for  CIOs  during  the  next  year  are 
to  block  unauthorized  access  to  systems  and  to  monitor  systems  activ¬ 
ity  (see  “The  State  of  Information  Security  2003,”  Page  79).  Identity 
management  systems  can  help  you  do  both.  They  also  let  CIOs  pro¬ 
vide  new  employees  with  almost  immediate  access  to  the  applica¬ 
tions  they  need  (and  take  away  access  from  former  employees  just  as 
quickly).  And  since  authentication  (you  are  who  you  claim)  and 
authorization  (you’re  allowed  to  do  what  you’re  trying  to  do)  occur 
at  one  location,  employees  can  access  all  their  applications  with  a 
single  user  name  and  password,  a  move  that  can  dramatically  cut 
down  help  desk  calls. 

With  benefits  like  those  it’s  no  wonder  that  consultancy 
NerveWire  found  that  38  percent  of  the  145  companies  it  surveyed 
expected  an  ROI  of  as  much  as  five  times  on  their  identity  manage¬ 
ment  investment,  and  another  10  percent  expected  even  higher 
returns.  But  few  companies  have  achieved  such  numbers  yet.  The 
CIO- PWC  survey,  for  instance,  found  that  among  North  American 
respondents,  only  9  percent  reported  that  their  identity  management 
projects  had  achieved  their  objectives. 

Too  often,  identity  management  projects  become  too  large  or 
cumbersome  to  finish  on  schedule.  After  all,  there  will  always  be 
more  applications  to  integrate  into  the  system.  King  has  reached 
that  point  at  Lehman  Brothers. 

“We’re  at  a  crossroads,”  he  says.  “We  have  to  decide  how  far  we 
are  going  to  go  with  it.” 

Who  Has  Access  to  What 

art  of  the  problem  is  confusion  about  what  defines 
identity  management.  Vendors  use  the  phrase  to  mean 
any  number  of  things,  from  single  sign-on  applications 
to  certificate  authentication.  Yet  such  technologies  are 
really  just  add-ons  to  identity  management. 

Essentially,  identity  management  is  a  system  that  serves  as  the 
authoritative  identity  record  for  an  entire  company.  Each  entry  in 
the  system  should  contain  all  the  identity  information  associated  with 
one  individual — an  employee,  customer  or  partner — from  name  to 
Social  Security  number  to  employee  identification  number.  This  iden¬ 
tity  data  can  then  connect  to  a  company’s  existing  systems,  ultimately 
granting  new  users  automatic  access  to  applications  (a  process  called 
automatic  provisioning),  allowing  for  password  consolidation  or 
“single  sign-on”  to  multiple,  linked  applications,  as  well  as  providing 
the  company  with  a  detailed  audit  trail. 

For  most  companies,  however,  that  vision  is  far  from  a  reality.  “If 
you  don’t  have  identity  management,  there  are  all  sorts  of  ways  that 


Keep  It  Simple 

When  you  begin  linking  apps  to  your 
identity  management  system,  make 
sure  you  start  with  the  easiest,  most 
popular  applications 

The  key  to  doing  an  identity  management  project  is 
knowing  which  applications  to  start  with  and  when 
to  say  stop.  When  installing  the  system,  SPX  Chief 
E-Business  Officer  and  CIO  Pete  Sattler  says  you  should 
probably  fall  back  on  the  old  80/20  rule— that  is,  80  percent 
of  the  benefits  come  from  integrating  20  percent  of  the  appli¬ 
cations.  For  example,  Sattler  started  with  Lotus  Notes  and 
the  company’s  VPN,  which  were  the  two  most  popular  appli¬ 
cations.  While  Web-based  applications  are  relatively  easy  to 
integrate,  legacy  applications  usually  require  hand  coding, 
which  translates  into  time  and  money.  For  this  reason  Sattler 
advises  not  integrating  legacy  applications  if  they  don’t  have 
enough  users  to  justify  the  expense.  He  says  there  are  some 
legacy  appl  ications  he  never  expects  to  connect. 

Every  executive  and  analyst  interviewed  for  this  article 
also  advised  starting  your  identity  management  project  as 
soon  as  possible— even  if  it  extends  to  only  a  few  applica¬ 
tions.  You  can  always  link  new  applications  you  bring  into  the 
company  to  the  identity  system  down  the  road,  says  Earl 
Perkins,  vice  president  of  security  and  risk  strategies  for 
Meta  Group.  An  average  company  may  have  more  than  100 
applications  that  it  will  ultimately  need  to  integrate  with  the 
identity  management  system.  Perkins  says  that  there  is  no 
sense  in  waiting  to  do  identity  management  until  you  have 
200  such  applications. 

“If  you  are  avoiding  [the  project],  you  are  only  going  to 
make  it  worse,”  Perkins  says.  -B.W. 


people  will  get  [access],”  says  King.  Most  often  a  user  calls  the  appli¬ 
cation  administrator  demanding  access;  if  the  user  is  belligerent  enough 
he  gets  it.  In  such  an  ad  hoc  environment,  there  is  no  way  for  a  CIO 
to  guarantee  that  employees  gain  access  to  only  the  applications  they 
require.  Furthermore,  access  levels  can  vary  within  applications.  For 
instance,  one  of  the  first  applications  King  linked  to  the  identity  man¬ 
agement  system  was  a  Web-based  intranet  application  that  helps 
employees  monitor  their  benefits.  If  employees  want  to  view  general 
benefit  data  on  the  intranet,  their  basic  log-on  credentials  are  suffi¬ 
cient.  But  if  they  want  to  browse  confidential  data  related  to  their  own 
benefits,  the  system  requires  an  additional  factor,  like  a  secure  ID  token. 

Beyond  mere  provisioning,  identity  management  can  also  track 
who  used  what  application  when,  providing  CIOs  with  an  appli¬ 


es  6  CIO  OCTOBER  15,  2003  •  www.cio.com 


FREE  White  paper! 

"Determining  Total  Cost 
of  Ownership  for  Data 
Center  and  Network 
Room  Infrastructure" 

Just  mail  or  fax  this  completed  coupon 
or  contact  APC  for  your  FREE  white 
paper,  "Determining  Total  Cost  of 
Ownership  for  Data  Center  and 
Network  Room  Infrastructure."  Also 
receive  our  FREE  InfraStruXure"' brochure. 
Better  yet,  order  both  today  at  the  APC 
Web  site! 

Key  Code 

http://promo.  ape.  com  n  6 1 8  y 

(888)  289-APCC  x2962  •  FAX:  (401)  788-2797 


Legendary  Reliability® 


FREE  White  paper! 


"Determining  Total  Cost  of  Ownership  for  Data 
Center  and  Network  Room  Infrastructure" 


□  YES!  Please  send  me  my  FREE  white  paper  and  InfraStruXure1"  brochure. 

□  NO,  I'm  not  interested  at  this  time,  but  please  add  me  to  your  mailing  list. 


Name: 


Company: 


Title: 


Address: 


Address  2: 


City /Town: 


State: 


iiBL 


Country: 


Phone: 


Fax: 


E-mail: 


I  I  Yes!  Send  me  more  information  via  e-mail  and  sign  me  up  for  APC  PowerNews  e-mail  newsletter.  [Key  Code  n618y 


What  type  of  availability  solution  do  you  need? 

□  UPS:  0-1 6kVA  (Single-phase)  □  UPS:  10-80kVA  (3-phase  AC)  □  UPS:  80+  kVA  (3-phase  AC)  □  DC  Power 

□  Network  Enclosures  and  Racks  □  Precision  Air  Conditioning  □  Monitoring  and  Management  □  Cables/Wires 

□  Mobile  Protection  □  Surge  Protection  □  UPS  Upgrade  □  Don't  know 

Purchase  timeframe?  □  <  1  Month  □  1-3  Months  □  3-12  Months  □  1  Yr.  Plus  □  Don't  know 
You  are  (check  1):  □  Home/Home  Office  □  Business  (<1000  employees)  □  Large  Corp.  (>1000  employees) 

□  Gov't.,  Education,  Public  Org.  □  APC  Sellers  &  Partners 


©2003  APC.  All  trademarks  are  the  property  of  their  owners.  ISX3A3EB-US_2C 


E-mail;  esupport@apcc.com 


132  Fairgrounds  Road.  West  Kingston,  Rl  02892  USA 


POSTAGE  WILL  BE  PAID  BY  ADDRESSEE 


AMERICAN  POWER  CONVERSION 


ATTENTION  CRC:  n618y 
Department:  B 
132  FAIRGROUNDS  ROAD 
PO  BOX  278 

WEST  KINGSTON  Rl  02892-9920 


1 . 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 ... 1 1 1 1 1 1 1 . 1 1 1 1 1 1 1 ■  1 1 1 1 1 . 1 1 1 . 1 1 1 1 


Howto 
Contact  APC 

Call:  (888)  289-APCC 

use  the  extension  on  the 
reverse  side 

Fax:(401)  788-2797 

Visit:  http://promo.apc.com 

use  the  key  code  on  the  reverse 
side 


APC 

Legendary  Reliability® 


DELL  •  CISCO  •  LUCENT 


RACK 


AIR 


POWER 


[power  routing] 


v  [data  routing] 


With  "Fits  Like  a  Glove" 


money  back  guarantee! 
See  Web  site  for  details. 


White  Paper  on  "Determining  Total  Cost  of  Ownership  for  Data  Center 
and  Network  Room  Infrastructure"  and  Free  InfraStruXure™  Brochure 


©2003  American  Power 


V\s\i  http://promo.apc.com  Key  Code  n618y  •  Call  888-289-APCC  x2962  •  Fax  401-788-2797 

Conversion  Corporation.  All  Trademarks  are  the  property  of  their  owners.  E-mail:  esupport@apcc.com  •  132  Fairgrounds  Road,  West  Kingston,  Rl  02892  USA  ISX2D3EF-USb 

Product  availability  varies  by  region.  Goto  www.apc.com  for  current  information. 


InfraStruXure  Architecture 


InfraStruXure™  lets  you  build  out 
capacity  only  as  it's  required.  Save  up 
to  50%  CapEx  and  20%  OpEx*,  and 
reclaim  an  average  of  20%  usable 
space.  InfraStruXure  AIR  delivers 
cooling  directly  where  it  is  needed, 
eliminating  dangerous  hot  spots. 


InfraStruXure™  is  the  industry's  only  patent-pending, 
on-demand,  network-critical  physical  infrastructure  (NCPI). 

Build  out  capacity  only  as  it's  required  with  InfraStruXure's 
open,  adaptable  and  integrated  approach.  Select  standard¬ 
ized  components  to  create  your  own  customized  solution. 

Finally,  you  can  target  availability,  pay  as  you  grow,  adapt 
to  change  and  maximize  efficiency  while  minimizing 
installation,  operating,  service  and  maintenance  costs. 

To  find  out  more  visit  us  online  at  www.apc.com,  or  see 
below  to  get  your  free  InfraStruXure  brochure  and  white 
paper  today. 

"Representative  savings  based  on  projected  power  infrastructure  built-out  costs 
and  estimated  service  cost  per  unit.  Actual  savings  may  vary. 


Open,  adaptable  and  integrated 
architecture  for  on-demand 
network-critical  physical  infrastructure 


iCommunications 

SOLUTIONS 


Winner  of  the 
Communications 
Solutions  Magazine's 

"2002  Product  of  the  Year"  award. 


Legendary  Reliability® 


[hot  air] 


PDU  with 


Traditional  data  centers  are 

built  out  for  future  capacity  and 
require  a  large  amount  of  floor 
space  that  could  be  otherwise 
utilized.  High  power  density  racks 
create  dangerous  hotspots. 


System  Bypass 
Rack-optimized 
design  with 
configure-to-order 
multi-branch  whips 
to  speed  installation 


Pay  as  you 


grow  with  new  InfraStruXure™ 


NetworkAIR ’■  FM 
Modular  floor  mount 
precision  air  conditioning 
for  environmentally 
sensitive  equipment  areas. 


N+1  UPS 

Scalable,  modular 
and  manageable 
with  N+1  capability 
for  unmatched 
levels  of  availability. 


Environmental 

Monitoring 

Local  or  remote 
monitoring  of 
temperature  and 
humidity  in  your 
enclosures. 


Rack-mount 

PDU 

Up  to  42 
receptacles, 
monitored  to 
eliminate  branch 
circuit  overloads. 


Air  Distribution  Unit 

Delivers  equalized  airflow  from 
the  bottom  to  the  top  of  the 
enclosure  to  help  eliminate 
unequal  temperatures 
and  protect  sensitive  electronics. 


Next  Generation 
Enclosure 

Designed  for  the 
cabling,  cooling  and 
security  demands  of 
today’s  IT. 


Integrated  Cable  Routing 
Self-contained  cable  routing 
allows  for  installation  anywhere 
no  raised  floor  needed. 


© 

a 

a 

Air  Removal  Unit 
Optimizes  heat 
removal  from 
densely  configured 
racks. 


[hot  air] 


[cool  air 


Manager 

Remote  manage¬ 
ment  of  system 
through  a  single 
IP  address. 


architecture. 


lnfraStru>\ure 


POWER  RACK  AIR 


Jfu 


If  they  come,  you  will  build  it. 


AFTER 


The  CIO’s  Knowledge  Marketplace 


You  need  information  and  you  need  it  now. 

Don’t  waste  your  valuable  time  searching  high  and  low.  When  you  need  to  get 
your  to-do  list  done,  come  to  the  one  site  that  has  it  all.  From  strategies 
and  roles  to  technologies  and  tools,  the  CIO  Store 
offers  the  best  collection  of  research,  reports  and 
expert  advice  anywhere.  You  can  depend  on  the 
full  range  of  resources  offered  at  the  CIO  Store. 

-r.  _  ,  The  Resource  for 

The  CIO  Store-when  you  need  to  get  smart,  fast.  Information  Executives 


Data  Management 


The  top  two  strategic  security  initiatives  for  CIOs 
during  the  next  year  are  to  block  unauthorized  access 
to  systems  and  to  monitor  systems  activity.  Identity 
management  systems  can  help  you  do  both. 


cation  audit  trail.  That  can  be  instrumental  in  helping  companies 
comply  with  government  regulations  such  as  the  Sarbanes-Oxley 
Act.  Pete  Sattler,  chief  e-business  officer  and  CIO  of  manufactur¬ 
ing  company  SPX,  says  Sarbanes-Oxley  is  the  top  driver  behind 
his  company’s  identity  management  project.  (Sarbanes-Oxley 
requires  that  companies  certify  that  no  one  has  tampered  with 
quarterly  and  annual  financial  reports,  and  having  audit  ability  is 
the  only  way  to  guarantee  that.)  Sattler  has  other  reasons,  how¬ 
ever.  Fifty  percent  of  his  company’s  help  desk  calls  come  from 
managers  and  users  who  have  either  forgotten  their  passwords  or 
need  their  IDs  changed — calls  that  experts  say  can  cost  a  com¬ 
pany  up  to  $25  a  pop.  “Those  go  away  when  this  goes  live,”  he 
says.  In  the  new  system,  each  employee  will  have  one  user  name, 
password  and  PIN.  If  an  employee  forgets  his  password,  he  can 
simply  log  on  to  the  company  intranet,  enter  his  PIN  and  a  key 
phrase,  and  automatically  reset  his  password.  That  alone  will  pay 
for  the  project  over  time,  says  Sattler.  (Employees  may  be  less 
likely  to  forget  their  PIN  because,  unlike  the  pass¬ 
word,  it  doesn’t  have  to  be  changed  as  frequently.) 

What  Integrates  with  What 

f  course,  identity  management  has 
more  than  its  share  of  challenges.  The 
first  and  most  time  consuming  is  inte¬ 
gration.  Currently,  no  standards  exist 
for  identity  records  and  authentication 
processes.  Security  assertion  markup  language 
(SAML),  an  XML  framework,  is  gaining  momen¬ 
tum  in  standards  organizations  such  as  Oasis  and 
the  Liberty  Alliance,  but  it  is  awaiting  formal  stan¬ 
dardization.  As  a  result,  not  only  do  old  applications 
not  have  a  single  format  for  identity  information, 
but  neither  do  new  ones.  “I  may  be  psattler  in  one 
system,  Pete  Sattler  in  another  and  [something  else] 
in  a  third,”  says  Sattler.  Identity  management  ven¬ 
dors  have  created  tools  that  let  CIOs  synchronize 
most  Web-enabled  applications  to  an  existing  iden¬ 
tity  directory  in  a  matter  of  hours.  Older  applica¬ 
tions,  however,  require  more  time  and  oversight.  In 
some  cases,  it  may  be  a  simple  matter  of  building  an 
application  program  interface,  or  API,  that  links  the 
application  to  the  identity  database  so  that  it  can  tell 


the  application  that  psattler  is  Pete  Sattler.  But  even  those  cases  may 
require  initial  (not  to  mention  expensive  and  slow)  human  oversight 
to  make  sure  that  one  system’s  psattler  isn’t  actually  Paul  Sattler 
instead  of  Pete. 

Furthermore,  older  applications  that  don’t  have  APIs,  as  well  as 
mainframe  applications  lacking  Web  front  ends,  will  require  manual 
integration.  This  fact  has  driven  many  CIOs  to  phase  in  identity 
integration,  starting  with  the  most  important  applications.  Sattler, 
who  has  so  far  linked  only  his  company’s  identity  directory  to  the 
company’s  white  pages  application,  says  that  his  plan  is  to  go  after 
“the  applications  with  the  biggest  influence  up  front  and  then  slowly 
start  chipping  away.”  That  means  tackling  Lotus  Notes  and  the  vir¬ 
tual  private  network  first.  He  then  expects  to  add  the  company’s 
three  ERP  systems  and  the  HR  system  to  the  list. 

“I  don’t  envision  ever  having  all  of  my  systems  [integrated],”  he 
says.  In  some  cases,  the  cost  of  integration  is  prohibitively  expensive.  In 
such  cases,  he’ll  just  let  the  applications  run  the  way  they’ve  always  run. 


Middleware. 

It’s  at  the  movies. 

www.cio.com  •  OCTOBER  15,  2003  CIO  99 


Data  Management 


Who  Owns  the  Data 

erry  Howell,  enterprise  portal  program  manager  for  the 
U.S.  Navy,  which  is  currently  undertaking  its  own  mas¬ 
sive  identity  management  project,  agrees  with  Sattler. 
“The  problem  is  that  [integrating  the  legacy  system  with 
identity  management]  is  pretty  much  a  manual  process,” 
he  says.  “It  is  going  to  be  hard.  But  that’s  not  the  scary  part.  The 
scary  part  is  the  politics  that  are  on  top  of  that.”  In  fact,  the  biggest 
obstacle  to  identity  management  is  the  battle  over  who  owns  iden¬ 
tity  data  and  who  controls  access  to  it. 

For  example,  the  Navy’s  identity  management  effort  has  been 
hamstrung  by  the  process  by  which  IT  projects  get  funding:  Each 
project  has  to  be  approved  by  Congress,  have  a  dedicated  adminis¬ 
trator,  and  until  now,  it  usually  has  had  its  own  infrastructure.  The 
fragmented  framework  gives  individual  administrators  carte  blanche 
to  choose  their  own  identity  standards,  as  well  as  the  power  to  grant 
and  deny  user  access. 

Howell  says  that  so  far,  Naval  administrators  have  been  reluc¬ 
tant  to  let  his  team  take  away  that  control.  The  Navy  has  “tried 


Pete  Sattler,  CIO  and  chief  e-business  officer  of  manufac¬ 
turing  company  SPX,  says  the  auditing  requirements  in 
Sarbanes-Oxley  are  the  top  drivers  behind  his  company’s 
identity  management  project. 


everything  under  the  sun”  to  get  them  to  migrate  to  the  new  iden¬ 
tity  system.  It  has  even  slowed  the  project  so  that  the  estimated  fin¬ 
ishing  date  has  been  pushed  back  from  2004  to  2009.  Moving 
forward,  however,  often  requires  a  heavy  hand.  “We  beat  them  up 
until  they  do  it,”  Howell  says,  only  half-joking.  He  has,  in  fact,  had 
to  “publicly  guilt”  someone,  openly  naming  him  to  higher-ups  as 
impeding  Naval  modernization. 

Most  private-sector  CIOs  haven’t  had  to  take  such  drastic  steps,  but 
they  do  acknowledge  that  getting  people  to  commit  to  new  identity 
systems  requires  a  lot  of  convincing.  And  in  some  cases,  it’s  simply  not 
worth  the  effort.  Such  is  the  case  at  Nucor,  a  $4.8  billion,  highly 
decentralized  steel  producer.  CIO  Scott  Messenger  says  he  didn’t  even 
try  to  wrest  control  of  divisional  HR  applications  away  from  their 
long-time  owners — he  knew  that  would  be  a  losing  battle.  Instead,  cor- 


3  0 


CIO 


OCTOBER  15,  2003 


www.cio.com 


Business  keeps  your  team 
on  the  move  and  you  need  the  best  tools  to  stay  ahead  of  the  competition.  That's  why  you 
need  BlackBerry.®  It's  the  best  wireless  enterprise  solution  both  for  users  and  IT  departments. 
Advanced  wireless  handhelds  help  users  stay  connected  to  corporate  data,  email  and  even 
phone  calls  on  the  go*  BlackBerry  Enterprise  Server  software  provides  IT  departments 
with  advanced  security,  centralized  management  and  support  for  multiple  wireless 
networks.  And,  the  BlackBerry  Enterprise  Server  v3.6  introduces  breakthrough  features  that 
provide  the  ability  to  wirelessly  access  your  firm's  existing  corporate  data.  Get  BlackBerry 
and  empower  users  without  compromising  IT  requirements.  It  will  help  keep  you  in  the  lead. 


BLACKBERRY 

WWW. BLACKBERRY.  COM 


*2003  Research  In  Motion  Limited  (RIM).  All  rights  reserved.  BlackBerry  is  an  end-to-end  wireless  solution  developed  by  RIM.  RIM,  BlackBerry,  the 
BlackBerry  logo  and  the  "envelope  in  motion"  symbol  are  trademarks  or  registered  trademarks  of  RIM.  'Check  with  your  service  provider  for  availability. 


How  Much 

B^is  an  Ounce  of  ■  ■ 

Prevention 

Worth 

A  POUND  OF  CURE,  OF  COURSE. 


YOU  NEED  TO  GET  SMART.  FAST 


When  it  comes  to  IT  security,  there  is  no  100%  guarantee. 
Techniques  and  tools  targeted  at  prevention  are  where 
most  of  your  attention  should  be  directed.  But,  in  the  event 
prevention  fails,  you  must  be  ready  to  respond  quickly 
and  masterfully  in  order  to  mitigate  risk  and  limit  damage. 
Turn  to  the  CIO  FOCUS™  on  SECURING  INFORMATION 
ASSETS:  PLANNING,  PREVENTION  AND  RESPONSE- 
actionable  information  created,  filtered  and  packaged  by  the 
award-winning  editors  of  CIO  magazine. 

CIO  FOCUS™  is  delivered  right  to  your  desktop,  giving  you 
immediate  access  to  the  information  you  need.  And  for  your 
future  reference  needs,  the  electronic  file  is  followed  by  a 
packaged  version,  shipped  within  72  hours.  Available  now  at 
an  introductory  price. 

CIO  FOCUS™ 

STRATEGIC  GUIDES  FOR  EXECUTIVE  DECISION  MAKING 


CIO  FOCUS™ 

IT  Value:  Measurement  Tools 
and  Techniques  That  Work 

Software  Vendor  Relationships: 
Selecting,  Vetting  and  Managing 
Partners 

Applied  Wireless:  Making 
Wireless  Work  in  Business 

Fundamentals  of  Enterprise  IT 


The  Resource 
for  Information 
Executives 


FOR  EXECUTIVE  DECISION-SUPPORT  TOOLS,  VISIT  THE  CIO  STORE-THE  CIO’S  KNOWLEDGE  MARKETPLACE. 

I  www.TheCIOStore.com 


Data  Management 


porate  made  its  own  identity  database,  which  contains  all  the 
employee  information  from  the  divisions,  but  the  database  interacts 
with  divisional  applications  only  in  a  few  places,  such  as  the  financial 
reporting  function.  “We  need  centralized  reporting,”  says  Messenger, 
who  simply  added  a  layer  on  top  of  the  existing  divisional  software. 
The  divisions  still  control  the  applications,  but  corporate  can  tell  who 
is  using  what  and  when,  while  simultaneously  controlling  access.  The 
integration  was  still  reasonably  complex,  says  Messenger,  but  it 
wasn’t  anywhere  near  as  complex  as  running  all  the  divisional  appli¬ 
cations  off  of  the  identity  management  system — and  it  didn’t  require 
a  lot  of  politicking. 

What’s  the  Password? 

ven  after  the  problems  of  integration  and  politics  have  been 
licked,  a  larger  issue  looms:  security.  Whenever  you  have 
one  system  responsible  for  authentication — regardless  of 
whether  you  have  a  single  sign-on — you  create  a  single  point 
of  failure.  With  an  identity  management  system  in  place,  a 
hacker  would  potentially  need  only  one  user  name  and  one  password 
to  access  multiple  applications. 

Identity  management  can  increase  security  (by  automatically  depro¬ 
visioning  former  employees  and  keeping  users  from  needing  to  do  dumb 
things  such  as  writing  passwords  on  sticky  notes),  but  only  if  you 
demonstrate  the  proper  diligence.  “You  can  think  of  [identity  manage¬ 
ment]  as  the  ultimate  Trojan  horse,”  says  Lehman’s  King.  “This  has 
got  to  be  the  most  secure  system  on  your  network.” 

Having  a  single  database  responsible  for  identity 
and  authentication  information — and  a  single  sign- 
on  for  access — requires  that  you  enforce  use  of  com¬ 
plex  passwords  and  password  updates.  Sattler 
recently  tested  his  new  system,  which  requires  em¬ 
ployees  to  use  complex  passwords  containing  num¬ 
bers  and  letters,  against  the  old  approach.  “I  ran  a 
hacker  tool  I  downloaded,  and  it  guessed  my  old 
password  in  two  minutes,”  says  Sattler.  But  it  would 
be  impossible  to  enforce  the  new  system  if  people 
had  to  remember  12  such  passwords,  he  says. 

Thus,  while  the  single  sign-on  system  is  a  risk,  CIOs 
agree  that  the  opportunities  it  presents  for  cost  sav¬ 
ings,  increased  efficiency  and  better  usage-tracking  out¬ 
weigh  the  potential  of  an  attack.  “You  are  always 
balancing  convenience  and  access  to  business  applica¬ 
tions  with  risk,”  says  King. 

Who’s  Selling 

There’s  one  last  hurdle  that  CIOs  pursuing 
identity  management  need  to  consider: 
finding  a  single  vendor  that  can  provide 
you  with  a  full  identity  management 
suite.  That  will  be  difficult,  if  not  impos¬ 


sible.  It’s  getting  better,  says 
Earl  Perkins,  vice  president  of 
security  and  risk  strategies  for 
Meta  Group.  There  has  been 
substantial  consolidation  dur¬ 
ing  the  past  year,  but  right 
now  the  muddled  vendor  land¬ 
scape  just  adds  to  the  confu¬ 
sion.  Many  CIOs  are  forced 
to  create  patchwork  solutions 
with  software  that  handles 
the  identity  database  from  one 
company,  while  another  company  deals  with  provisioning  and  a  third 
implements  security.  Gartner  lists  only  four  vendors — IBM,  Netegrity, 
Novell  and  Oblix — that  can  deliver  anything  like  a  full  range  of  prod¬ 
ucts,  with  IBM,  which  went  on  an  identity  vendor  shopping  spree  last 
year,  on  top  of  the  list.  Niche  players,  however,  remain  the  largest  cat¬ 
egory  in  the  identity  industry. 

“We  don’t  expect  there  to  be  just  one  vendor,”  says  King.  “A  lot 
of  this  will  have  to  be  homegrown.” 

Still,  it  hasn’t  prevented  King  from  doing  identity  management.  It 
may  require  piecing  together,  but  all  the  pieces  fit.  “There  is  huge 
ROI,”  he  says.  “It’s  silly  not  to  do  it.”  E0 


Staff  Writer  Ben  Worthen  can  be  reached  via  e-mail  at  bworthen@cio.com. 


Middleware. 

It’s  up  in  the  sky. 

www.cio.com  •  OCTOBER  15,  2003  CIO  103 


Talk  to  Tom  King 


As  Lehman  Brothers 
Holdings  CISO,  Tom 
King  has  made  some 
tough  decisions  about  identity 
management  programs.  How 
about  you?  To  get  the  insight  of 
his  experience,  ASK  THE 
SOURCE.  Pose  your  questions 
or  share  your  tales  with  King 
through  Oct.  31.  Go  to 
www.cio.com/ask. 


cio.com 


You  've  Picked 

a  Winner! 


iAT  S  WHAT  WE  CALL  AN  AWARE 


The  Neal  Award  judges  aren’t  the  only  ones 
who  prefer  CIO  magazine.  CIOs  choose  CIO 
as  the  one  publication  they  rely  on  for  in¬ 
sight  and  strategies  for  managing  IT.* 


The  Resource 
for  Information 
Executives 


CIO  magazine  is  the  proud  recipient  of  the 
prestigious  2003  Grand  Neal  Award— the 
top  editorial  honor  granted  to  one  publica¬ 
tion  from  more  than  1,000  entries  across 
all  categories  and  circulation  sizes.  CIO 
also  won  Neal  Awards  for  “Best  How  To” 
for  the  2002/2003  Year^End  Issue  and 
“Best  Article”  for  “Microsoft’s  New  Sub¬ 
scription  Plan:  CIOs  Just  Say  No.” 


*  SOURCE:  CIO  READER  PROFILE  STUDY. 
MRI,  AUGUST  2002 


Often  hailed  for  its  preeminence 
as  the  "Pulitzer  Prize  of  the  business 
press,”  the  Neal  Award  is  the 
business  publishing  industry’s 
annual  salute  to  individual  editors 
for  outstanding  editorial  excellence. 


Storage 


For  many  companies,  storage  has  been  an  out  of  sight, 
out  of  mind  thing.  But  efficiencies  and  cost  savings 
abound  for  CIOs  willing  to  take  the  necessary  steps 
toward  a  rational  storage  plan,  by  todd  datz 


from  your  storage  dollar,  you  need  to  have  a  strategy  in  place.  That  became 
clear  to  David  Corwin,  senior  director  of  technology  services  at  Yellow  Tech¬ 
nologies,  the  IT  division  of  transportation  company  Yellow  Corp.  During  the 
past  18  months,  his  group  has  worked  to  recast  existing  storage  policies  into  a 
strategy  aimed  squarely  at  future  corporate  needs.  For  Yellow,  that  meant 
understanding  where  storage  needs  were  growing,  which  were  growing  fastest 
(collaborative  environments  such  as  e-mail  and  file/print  services,  as  it  turned 
out)  and  what  business  needs  were  driving  that  growth.  One  result  of  the  strat¬ 
egy  was  the  decision  to  consolidate  three  storage 
area  networks  into  one.  "Three  SANs  is  three 
times  the  administration  [costs],"  says  Corwin. 

Sometime  before  the  end  of  2003,  Yellow  will  fur¬ 
ther  define  its  policies  for  retaining  data  as  part  of 
its  overall  strategy. 

Jamie  Gruener,  a  senior  analyst  at  the  Yankee 
Group,  notes  that  in  the  '90s  many  IT  execs  bought 
storage  infrastructure  without  a  master  plan  to 
guide  them.  “We’re  no  longer  in  a  period  of  time 


Reader  ROI 

►  Why  it’s  essential  to 
develop  a  storage 
strategy 

►  How  a  storage  area 
network  can  reduce 
costs  and  complexity 

►  What  attributes 
are  key  in  a  storage 
management  team 


www.cio.com  •  OCTOBER  15,  2003  CIO  105 


Storage 


when  you  can’t  have  some  sort  of  strategic  planning  initia¬ 
tive  in  place,”  he  says.  That  means  assessing  what  you  have, 
doing  an  annual  forecast  that  includes  capacity  needs,  fig¬ 
uring  out  what  department  or  unit  is  consuming  what 
amount  of  storage,  having  a  backup  and  recovery  plan,  and 
deciding  on  the  best  management  tools. 


create  A  DEDICATED  TEAM 

Two  years  ago,  execs  at  Alliant  Energy,  a  midwestem  energy 
provider,  challenged  a  group  selected  from  its  Intel  server 
and  Unix  and  database  administration  teams  to  find  com¬ 
mon  solutions  to  storage  problems.  The  team  consolidated 
disk  space  using  its  SAN  and  developed  processes  for  man¬ 
aging  the  company’s  backup  and  recovery.  “Before,  all  server 
administrators  needed  to  be  storage  experts.  Now  a  few 
people  manage  all  storage,  and  they’re  the  experts,”  says 
Gregg  Lawry,  Alliant ’s  IT  managing  director.  The  result  has 
been  a  reduction  in  the  number  of  server  admins  who  need 


to  worry  about  storage  from  15  to  three  and,  thanks  to  disk 
space  consolidation  and  other  money-saving  decisions,  a 
reduction  of  58  percent  in  Alliant’s  unit  price  for  storage. 

At  Paccar,  a  global  truck  manufacturer,  storage  respon¬ 
sibilities  are  being  shifted  from  server  teams  to  a  two-person 
storage  management  team.  “You’ve  got  to  peel  somebody 
off  and  say,  ‘Your  job  is  to  manage  storage  across  the  whole 
organization,”’  says  vice  president  and  CIO  Patrick  Flynn. 
At  Paccar,  project  managers  know  they  need  to  sit  down 
with  a  storage  resource  manager  to  think  about  file  sizes, 
backup  frequencies  and  data  security  issues.  With  common 
processes  in  place,  Paccar  has  saved  money  by  consolidat¬ 
ing  servers,  reducing  the  amount  of  direct-attached  storage 
(DAS)  and  utilizing  capacity  more  efficiently. 


consider  SANS 

DAS  connects  storage  resources  directly  to  a  single  server. 
Storage  area  networks  provide  pooled  storage  connected 
to  a  LAN.  And  increased  asset  utilization  can  be  a  quick 
SAN  benefit.  “So  if  you  go  from  a  40  percent  rate  on  DAS, 


by  pooling  storage  on  a  SAN,  you  may  get  a  60  percent 
utilization  rate.  When  dealing  with  terabytes  of  storage, 
that’s  a  lot  of  money,”  says  Phil  Goodwin,  senior  program 
director  at  Meta  Group.  He  also  says  SANs  can  help 
increase  organizational  agility  by  making  it  easier  to  rede¬ 
ploy  storage  resources  from  one  application  to  another. 

Another  benefit  of  SAN  technology  is  faster  application 
development  testing.  Alliant’s  Lawry  says  that  in  his  com¬ 
pany’s  previous  DAS  environment,  after  running  a  test,  it 
could  take  a  day  or  two  to  restore  the  data  attached  to  the 
server  and  set  up  the  environment  again.  With  a  SAN,  mul¬ 
tiple  versions  of  data  can  be  replicated  in  a  short  period  of 
time  so  that  developers  can  run  parallel  tests  without  hav¬ 
ing  to  restore  data. 

At  Denver  Health  Hospital  Authority,  which  provides 
care  to  30  percent  of  Colorado  residents,  CTO  Jeff  Pelot 
uses  two  SANs,  from  EMC  and  LeftHand  Networks,  to 
maintain  system  availability — which  can  mean  the  differ¬ 
ence  between  life  and  death.  He  says  that  with  its  old  DAS 

setup,  the  medical  records 
system  once  went  down  for 
36  hours.  “The  restore  was 
incredibly  difficult,”  he  says. 
“With  SAN,  our  data  is 
pretty  well  protected  at  any 
given  time.  If  there’s  any  out¬ 
age,  we  can  get  back  to  a 
point  in  time,  say  an  hour 
before  the  failure,  where  the  data  was  synched.” 

SANs  aren’t  perfect,  of  course.  DAS  can  be  superior  for 
high-level  security  purposes  (a  nuclear  power  plant  might 
want  to  physically  isolate  data  on  DAS)  or  if  a  data  ware¬ 
house  is  attached  to  a  single  server  (in  which  case  SAN  con¬ 
nectivity  doesn’t  buy  you  anything).  And,  of  course,  SANs 
still  require  an  up-front  investment,  which  may  be  a  hard 
sell  given  tight  IT  budgets. 


consider  BUYING  SRM  TOOLS 

Storage  resource  management  (SRM)  tools  can  provide 
some  clarity  in  a  complex  environment.  “SRM  software  is 
one  of  the  best  ways  to  look  at  capacity — who’s  consuming 
it,  and  who  last  accessed  it,”  says  Gruener. 

Goodwin  likes  SRM  tools  because  they  can  help  identify 
duplicate  and  obsolete  copies  of  data,  which  can  slow  stor¬ 
age  growth.  He  says  that  the  real  culprit  in  growth  is  not 
primary  storage  (such  as  transactional  data)  but  secondary 
storage  requirements,  such  as  duplications  for  backup,  dis¬ 
aster  recovery  and  data  mining.  According  to  Meta  Group 


ANs  still  require  an  up-front 
investment,  which  may  be  a  hard 
sell  given  tight  IT  budgets. 


S  CIO  OCTOBER  15,  2003  •  www.clo.com 


Why  Mark 
"give  it  to  me  in 
dollars  &  cents" 
Ellis  loves  his 
Savin  4027: 


“I  want  numbers.  Before  I  buy  any  office  machine  I  want  to  know  total  cost  of  ownership.  I  want  this 
thing  to  pay  for  itself,  and  fast.  With  this  Savin  digital  imaging  system  it  went  beyond  just  input-output. 
It  was  all  that  in-betweenput  —  the  applications  our  Savin  guy  showed  us.  You  know  how  much  time 
that  saves  us?  Hey,  time  is  money.  So  to  me,  choosing  Savin  was  a  real  no-brainer.” 

See  what  Savin  can  do  for  you  at  www.savin.com. 


©2003  Savin  Corporation 


53I/IV1,  works  here. 


Storage 


ncreasing  your  utilization  rate  may  not  make 
economic  sense  if,  for  exam  pie,  it  would  require 
a  higher  cost  to  manage  that  capacity. 


research,  secondary  storage  requirements  will  exceed  pri¬ 
mary  by  seven  to  15  times  through  2008.  “[SRM]  is  really 
a  storage  reporting  tool,”  Goodwin  says.  “You  have  to 
understand  what  you’ve  got  and  how  it’s  used  before  you 
can  make  a  decision  on  how  to  improve  it.” 

classify  YOUR  DATA 

Companies  are  sitting  on  mountains  of  data,  especially  in 
recent  years  with  the  growth  of  data-intensive  ERP  and 
CRM  systems,  newsfeeds,  Web-based  marketing  programs 
and  the  like.  Adding  to  the  information  explosion  are  regu¬ 
latory  requirements,  such  as  the  Health  Insurance  Portabil¬ 
ity  and  Accountability  Act.  Richard  Scannell,  vice  president 
of  corporate  development  and  strategy  at  GlassHouse  Tech¬ 
nologies,  a  storage  analyst  company,  says  that  reference 
data — data  about  data — outstrips  the  amount  of  original 
data  being  created.  He  recommends  segmenting  data  into 
two  or  three  discrete  tiers.  For  example,  20  percent  of  a 
company’s  data  might  be  deemed  critical;  30  percent  very 

important  but  could  be  lived  without  _ 

for  eight  hours;  and  the  remainder 
necessary  to  keep  for  regulatory  pur¬ 
poses,  but  a  company  could  wait  for 
three  days  to  recover  it  from  tape. 

At  Alliant,  Louis  Chiang,  manager 
for  IT  applications  hosting,  says  his 
company  is  classifying  data  now  and 
hopes  to  do  more  in  the  future.  He 
cites  the  storage  for  a  customer  support  application,  which 
resided  on  a  two-  or  three-year-old  disk,  that  they  recently 
upgraded.  Instead  of  discarding  the  older  disk,  it  now  stores 
less  critical  file  and  print  apps. 


Learn  More 


To  get  an  OVERVIEW  of  the  wild 
world  of  data  storage,  read  the 

CIO  EXECUTIVE  SUMMARY,  which 
includes  buzzwords,  metrics,  a  bibli¬ 
ography  and  more  resources  on  the 
topic.  Go  to  www.cio.com/printlinks. 

cio.com 


ized,  more  secure  SAN  architecture.  As  part  of  that  security, 
Gonick  thought  it  made  sense  to  have  the  SAN  manage¬ 
ment  team  be  responsible  for  restoring  enterprise  data  that 
had  been  deleted.  But,  Gonick  says  many  of  the  faculty  felt 
ownership  of  the  data  and  wanted  the  ability  to  restore  it 
themselves.  So  Gonick  decided  to  allow  faculty  and  their 
research  administrators  to  access  servers  with  digital  IDs, 
even  though  it  increased  security  risks  to  some  extent.  The 
value?  “Significantly  fewer  Tylenol  3  headaches,”  from 
dealing  with  peeved  users,  says  Gonick. 

measure  your  decisions 

Make  sure  decisions  take  into  account  your  favored  metrics, 
whether  total  cost  of  ownership  (TCO),  ROI  or  something 
else.  In  terms  of  TCO,  Randy  Kerns,  senior  partner  at  stor¬ 
age  analyst  company  Evaluator  Group,  says  the  dominant 
metric  should  not  be  the  total  amount  of  storage,  but  the 
amount  of  managed  storage,  or  capacity  per  administrator. 
That  number  can  affect  decisions  about  such  issues  as  uti- 

_  lization.  He  says  that  SRM  software 

vendors  will  tell  you  you’re  only  using, 
say,  40  percent  of  your  storage  and 
that  their  product  could  push  that  to 
60  percent.  But  Kerns  advises  that 
increasing  your  utilization  rate  may 
not  make  economic  sense  if,  for  exam¬ 
ple,  it  would  require  a  higher  cost  to 
manage  that  capacity. 

Another  metric  he  advocates  is  time-to-deployment — the 
time  it  takes  from  the  moment  you  need  more  storage  to  the 
time  it  goes  live.  “If  it  takes  two  weeks,  how  much  value 
have  I  lost?”  he  asks. 


know  YOUR  CUSTOMER 

As  CIO  at  Case  Western  Reserve  University,  Lev  Gonick 
deals  with  customers — faculty  and  research  administra¬ 
tors — who  can  be  right  prickly  when  it  comes  to  data  own¬ 
ership.  About  a  year  ago,  Gonick  began  moving  from  a 
highly  distributed  DAS  environment  to  a  highly  central- 


get  A  SENSIBLE  RECOVERY  PLAN 

What  is  the  dollar  value  associated  with  time  to  recovery? 
How  long  will  it  take  to  get  systems  back  up,  and  how  much 
is  that  time  worth?  Those  are  a  few  of  the  questions  you 
should  ask  as  you  put  a  plan  in  place,  says  Kerns.  “If  I’m 
back  in  business  in  two  hours,  it  will  cost  me  X  amount  of 


CIO 


OCTOBER  15,  2003  •  www.cio.com 


Managing 
Security  Software 
Can  Really  Make 
You  Hop! 


Take  one  step  instead.  And  discover  what  the  original  developers  of  Secure  Shell  did. 

Implementing  and  enforcing  new  security  policies  has  become  a  costly  challenge  for  all  corporate  IT  managers, 
not  to  mention  the  continuous  hunt  for  better  productivity  and  adaptability.  Unlike  traditional  approaches  -  network  level 
security  or  application  level  security  alone  -  the  new  SSH  Tectia™  solution  enables  cost-effective  end-to-end  security  across 
the  enterprise.  It’s  a  whole  new  suite  of  security  solutions  working  between  the  applications  and  corporate  IT-infrastructure. 
To  this  new  layer  of  security  software,  the  new  SSH  Tectia™  offers  unsurpassed  scalability,  adaptability  and  central 
manageability  -  based  on  Secure  Shell  and  other  leading  technologies  from  SSH. 

Go  ahead  and  hop  over  to  www.tectia.com 


Storage 


revenue.  If  eight  hours,  I’ve  lost  revenue 
and  maybe  lost  customers.  In  two  days, 
maybe  the  survival  of  the  company  comes 
into  play.  The  value  of  knowing  that  tells 
you  the  importance  and  expenditures  you 
need  to  make  to  implement  a  [storage] 
solution,”  he  adds. 

GlassHouse’s  Scanned  agrees  that  the 
cost  of  a  recovery  or  backup  strategy 
should  be  measured.  He  cites  one  customer 
who  had  a  tape-based  backup  environment 
with  multiple  libraries  of  tapes  it  didn’t 
need.  Hundreds  of  tapes  were  only  10  per¬ 
cent  to  30  percent  full  because  of  a  config¬ 
uration  option  that  was  chosen  when  the 
tapes  were  purchased.  By  simply  tweaking 
the  configuration,  fewer  tapes  went  offsite, 
reducing  hardware  and  processing  needs 
and  requiring  fewer  people  to  manage  the 
process.  Total  savings:  $1  million. 

Scanned  also  says  the  area  of  data  repli¬ 
cation  may  be  ripe  for  potential  cost  sav¬ 
ings.  Say  a  company  has  two  data  centers 
with  data  copied  automatically — in  real¬ 
time — between  each  center.  Yet  the  com¬ 
pany  also  employs  a  snapshot  solution  that 
replicates  data  every  15  minutes.  Does  it 
still  make  sense  to  take  snapshots  as  often 
when  the  data  is  also  replicated  in  the  two 
data  centers?  “These  questions  of  policy 
and  the  domino  effect  they  have  are  very 
poorly  understood,”  Scanned  says. 


look  FOR  CREATIVE  WAYS 
TO  REDUCE  COSTS 

There  may  be  a  number  of  ways  to  save 
money  that  you  haven’t  had  the  time, 
resources  or  brainpower  to  consider  Yellow 
Technologies  acquired  storage  in  larger  por¬ 
tions  in  one  procurement  cycle  per  year 
instead  of  multiple  times,  says  Corwin. 
Instead  of  buying  1  terabyte  four  times  a 
year,  for  example,  the  company  buys  4  ter¬ 
abytes  once  a  year.  That  allows  Yellow  to 
leverage  price  breaks  from  its  vendors,  and 
it  reduces  the  overhead  costs  of  being  in 
multiple  procurement  cycles.  “Four  RFPs  a 
year  is  quite  time  consuming,”  he  says. 

By  paying  attention  to  his  faculty,  Case 

0  CIO  OCTOBER  15,  2003 


What’s  better  than  the  millions  you’ll  sav 
technology?  The  fact  that  we’ll  guarantee  1 


Storage 


•  JQHNSON 
CONTROLS 

WWW.JOHNSONCONTROLS.COM 

at  1-414-524-4262. 


Western’s  Gonick  tries  to  figure  out  how 
much  storage  he’ll  need  at  a  future  date.  If 
he  needs  10  terabytes  of  storage  now,  but 
thinks  that  he  may  need  five  more  terabytes 
in  a  year,  he  gets  his  vendor  to  commit  to 
one  price  in  advance.  “We  have  an  option 
to  scale  at  the  same  price  point,”  he  says. 

Goodwin  also  advises  charging  storage 
costs  back  to  the  business  units.  “When 
there’s  no  relationship  between  cost  and 
consumption,  there  will  be  unlimited 
demand  for  consumption,”  he  says. 


think  LONG-TERM 

Buying  the  cheapest  hardware  or  software 
may  save  you  money  up  front,  but  how 
does  it  fit  into  your  long-term  storage  plan? 
The  majority  of  your  storage  budget  is  spent 
on  administration,  not  product;  and  hard¬ 
ware  and  software  that  costs  less  initially 
might  cost  significantly  more  down  the  line. 
Ultimately,  says  Evaluator’s  Kerns,  the  busi¬ 
ness  requirements  must  drive  the  storage 
purchase.  “Maybe  the  cost  of  implement¬ 
ing  fibre  channel  versus  IP  [channel]  is  twice 
as  much  money.  But  if  you’re  worried  about 
that,  you  better  find  a  new  job  because  it’s  a 
bigger  picture  issue,”  he  says. 

Storage  must  be  managed  like  a  resource, 
says  Paccar’s  Flynn,  so  you  need  to  invest  in 
the  people  and  tools  to  best  manage  it. 
Now  is  a  great  time  to  negotiate  with  ven¬ 
dors,  he  says,  noting  that  there’s  probably 
never  been  a  better  time  to  get  them  to  com¬ 
pete  for  your  business.  “We  can  continue 
to  invest  and  drive  out  some  screaming 
deals,”  he  says. 

Yes,  rock-bottom  bargains  are  a  good 
thing.  But  if  you  don’t  have  a  handle  on 
what  you’re  buying  and  why,  the  deals  of 
today  are  doomed  to  failure.  Make  sure 
you  have  a  storage  management  strategy 
in  place  and  people  dedicated  to  carrying  it 
out.  Then  use  the  rest  of  the  tips  previously 
mentioned  to  crank  out  the  most  value 
from  your  storage  investments,  rata 


Senior  Editor  Todd  Datz  can  be  reached  via  e-mail 
at  tdatz@cio.com. 


OCTOBER  15,  2003  CIO  111 


Middleware  is  Everywhere 


IPvwl4^~2iJ 

¥ 

i«  ter.  j  'V’dlMbU^^  - 

-rrr' 

ld3 

KEY 


- 


1.  Automatic  overview  of  operation. 

2.  Automatic  shipping  of  sale. 

3.  Automatic  identity  verification. 

4.  Automatic  updating  of  inventory. 

5.  Automatic  tracking  of  delivery. 


MIDDLE  WA  R  E  makes  the  on  demand  world  on  demand. 
And  middleware  is  powerful  IBM  software  like  Tivolif  DB2®  and 
WebSphere®  Open,  behind-the-glass  technology  that  can 
automate  it  all  -  IBM,  Microsoft!*  Oracle.  Problems  are  foreseen 
and  solved  before  they  occur.  IT  resources  are  directed  to 
core  business  needs.  Costs  are  reduced.  It’s  automation. 
On  demand.  And  it  makes  your  customers  happy  Very  happy, 
(e)  business  on  demand!”  Go  to  ibm.com/software/automate 


BECAUSE  YOUR  INFORMATION 

IS  NOT  A  COMMODITY. 


The  New  Symmetrix  DMX 


EMC2 

where  information  lives 


The  world’s  leading  information  storage  system  just  got  better.  Introducing  the  enhanced 
Symmetrix"  DMX.  New  high-end  and  entry-level  options.  The  industry’s  best  non-disruptive 
capabilities.  The  ability  to  replicate  more  data,  more  cost-effectively  —  across  the  room  or 
across  the  ocean.  Rapid  innovation  from  EMC,  where  information  lives. 


EMC.com/dmx  1. 866.  symm.dmx/i. 866. 796. 6369 


The  Symmetrix  DMX  Series 


EMC2,  EMC,  and  Symmetrix  are  registered  trademarks  and  Direct  Matrix  Architecture  and  where  information  lives  are  trademarks  of  EMC  Corporation. 
All  other  trademarks  used  herein  are  the  property  of  their  respective  owners.  ©  2003  EMC  Corporation.  All  rights  reserved. 


Case  Files: 


VALUE  SYSTEMS 


CUSTOMER  CONNECTIONS 
INTEGRATED  ENDEAVORS 


ORGANIZATION 

Visiting  Nurse  Service  of  New  York 

PRINCIPAL  BUSINESS 

Home  health  care 

HEADQUARTERS 

New  York  City 

USERS 

The  VNS  IT  group  supports  a  field 
staff  of  2,100  nurses,  500  therapists 
(PT,  OT  and  speech  therapists), 

450  social  workers  and  3,810  home 
health  aides. 

URL 

www.vnsny.org 


VALUE  PROPOSITION 

Develop  an  effective  method  for 
determining  the  potential  value  of 
proposed  IT  projects 


THE  PLAYERS 

GEORGE GERMANN 

CIO 

SAM  HELLER 

CFO 

INGRID  JIMENEZ 

VP  of  Operations 


CASE  ANALYST 

GOPALK.  KAPUR 

President,  Center  for  Project 
Management 


Visiting  Nurse  Service  of  New  York 


Rapid  growth  forced  the  Visiting  Nurse  Service  of  New  York  to 
develop  a  customized  value  methodology  that  has  helped  bring 
projects  and  goals  into  focus 
BY  LAFE  LOW 

WHEN  CIO  GEORGE  GERMANN  JOINED  THE 

Visiting  Nurse  Service  (VNS)  of  New  York  in 
November  1997,  the  process  for  selecting  and 
approving  IT  projects  was  simple  and  straight¬ 
forward,  much  as  the  business  itself  was  back 
then.  “We  had  a  project  request  process,  but  it 
was  largely  ad  hoc,”  Germann  says.  He  and  his 
staff  would  sift  through  requests,  balance  avail¬ 
able  resources,  and  then  Germann  would  pres¬ 
ent  a  list  of  recommended  projects  to  VNS  CEO 
Carol  Raphael  for  final  approval.  That  process 
was  effective  when  the  VNS’s  business  was  sim¬ 
pler,  but  as  the  agency  grew  in  size  and  com¬ 
plexity,  it  was  no  longer  sufficient. 

Since  then,  the  New  York  City-based  home 
health-care  agency  has  added  new  lines  of  busi¬ 
ness  and  new  services,  acquired  other  agencies, 
and  coped  with  a  flood  of  projects  that  were 
sidelined  as  the  VNS  prepared  for  the  Y2K  tran¬ 
sition.  “We’ve  grown  more  rapidly  in  the  last 


10  years  than  [at  any  other  time]  in  our  110- 
year  history,”  says  Germann.  The  convergence 
of  rapid  growth,  the  skyrocketing  level  of  proj¬ 
ect  requests  and  the  agency’s  conscious  decision 
to  balance  future  technology  initiatives  against 
strategic  objectives  led  Germann  and  his  execu¬ 
tive  colleagues  to  impose  a  better  mechanism 
for  determining  value  and  funding  IT  projects. 

A  NEW  METHOD 

Germann  considered  several  established  valua¬ 
tion  methods,  including  Balanced  Scorecard,  total 
cost  of  ownership  and  a  methodology  developed 
by  Gartner.  But  he  decided  that  their  cost  and 
complexity  did  not  suit  the  VNS’s  current  needs. 
So  Germann  incorporated  elements  from  those 
methodologies  into  a  customized  method. 

The  primary  benefit  of  formalizing  a  valua¬ 
tion  methodology  is  to  maximize  the  value  of 
every  IT  dollar  by  avoiding  costs  and  increasing 


www.cio.com  •  OCTOBER  15,  2003  CIO  115 


resources  to  deliver  the  project  within  the 
specified  time  and  budget  parameters. 

The  valuation  of  critical  success  factors, 
both  financial  and  nonfinancial,  is  where  the 
VNS  fine-tunes  the  process  for  its  require¬ 
ments.  For  a  project  to  be  approved,  it  must 
provide  value  to  the  VNS  in  at  least  one  of  the 
following  areas:  improved  quality  of  care, 
improved  speed  and  reliability  of  business 
operations,  reduced  costs,  increased  revenue, 
improved  decision  support  or  reduced  risk. 
To  define  clinical-project  specifications,  Ger- 
mann  relies  on  input  from  the  clinical  staff, 
which  is  led  by  Vice  President  of  Operations 
Ingrid  Jimenez,  who  is  also  a  registered  nurse. 
“From  the  clinical  and  operational  side,  we 
say,  ‘This  will  work,’  ‘This  won’t  work,’  and 
‘What  we  would  like  is  this,”’  she  says.  “Then 
we  look  at  how  the  systems  will  change  our 
work  processes.” 

In  determining  a  project’s  relative  value, 
Germann  and  the  rest  of  the  steering  com¬ 
mittee  scrutinize  the  project’s  economic 
value,  its  strategic  fit,  its  effect  on  the  quality 
of  service  and  any  regulatory  compliance 
issues  like  those  associated  with  the  Health 
Insurance  Portability  and  Accountability  Act. 
To  quantify  those  factors,  project  sponsors 
are  required  to  assign  a  value  score  from 
zero  to  five,  where  a  zero  or  one  has  minimal 
impact  on  the  agency’s  objectives,  and  a  five 
has  critical  impact. 

Risk  assessment  and  analysis  also  come 
into  play  during  the  project  approval 
process.  Risk  factors  include  the  degree  of 
process  change  involved,  level  of  staff  spon¬ 
sorship  and  resource  commitment,  direct 
risk  of  the  technology  involved  and  the 
extent  of  project  management  and  interde¬ 
partmental  collaboration  required.  Projects 
are  scored  on  a  30-point  risk-level  scale.  For 
instance,  high-risk  projects  are  not  approved 
until  the  risk  is  mitigated  at  least  down  to  a 
moderate  level  by  reducing  the  project  scope 
or  putting  other  strategies  in  place. 

Once  the  steering  committee  members 
have  thoroughly  evaluated  project  requests, 
they  generate  an  aggregate  score  (ranging 
from  one  to  100)  for  each  project,  factoring 
in  the  scores  for  economic  impact,  strategic 


productivity.  “Our  strategy  is  to  take  on 
more  projects  [but  not  to]  increase  our 
staff,”  Germann  says. 

IT  project  proposals  go  through  a  rigorous 
three-stage  process.  First,  the  project  sponsor 
completes  a  request  form  and  submits  it  to  IS. 
Next,  the  project  sponsor  works  with  the  IS 
staff  and  members  of  the  IS  steering  commit¬ 
tee  (a  seven-member  group  set  up  as  part  of 
the  new  approach;  it  includes  representatives 


from  IS,  finance,  business  development  and 
operations)  to  refine  the  project  benefits,  costs 
and  risk  analysis.  Then  the  steering  committee 
and  the  CEO  evaluate  and  recommend  proj¬ 
ects  for  approval  and  funding  to  the  VNS 
board  of  directors  on  a  monthly  basis.  Once 
the  board  authorizes  a  project,  IS  works  with 
the  project  sponsors  to  develop  a  charter — a 
guideline  for  the  IS  team  and  the  sponsors  to 
ensure  that  they’ve  allocated  the  necessary 


George  Germann,  CIO  of  the 
Visiting  Nurse  Service  of  New) 
York,  incorporated  elements 
from  established  value  metri 
systems  into  a  customized 
method  aimed  at  avoiding  cos 
and  increasing  productivity. 


Case  Files  |  Value  Systems 


5  CIO  OCTOBER  15,  2003  •  www.cio.com 


PHOTO  BY  STEVEN  VOTE 


reach 

AVAVA 

a  higher  plane 
of  communication 


AS  YOUR  COMMUNICATION  NETWORK  gets  more 

complicated  —  dare  we  say,  converged?  —  you 

need  to  toughen  your  defense.  Meet  the  complete 

security  solution  from  Avaya.  Our  mantra:  the 

pucks  stop  here.  Count  on  Avaya  Security 

Solutions  to  protect  your  entire  network,  no  matter 

where  you  are  on  the  path  to  IP  telephony.  We 

take  a  holistic  approach  to  security  with  the  multi¬ 
vendor  expertise  of  Avaya  Global  Services.  Our 

industry-certified  consultants  methodically  assess 

all  your  communication  devices,  policies  and 

vulnerabilities,  inside  and  out  (no  sneak  shots 

around  the  post).  In  the  state  of  Avaya,  our 

services,  systems,  applications  and  products 

assure  that  your  converged  network  is  secure  by 

design.  See  why  it’s  no  contest  when  Avaya 

security  is  minding  your  net  at  avaya.com/secure. 

Or  call  866-GO  AVAYA  today. 

IP  Telephony 

Contact  Centers 

Unified  Communication  |  Services 

With  Avaya 


MINDING  YOUR  NET, 

your  voice ,  data,  even  your  converged  network  can  be 

SAFE  AND  SECURE. 


©  2003,  Avaya  Inc.  All  Rights  Reserved. 

Avaya.  the  Avaya  Logo,  and  all  trademarks  identified  by  ®  or  ™  are 
be  registered  in  certain  jurisdictions.  All  other  trademarks  are  the  property  of  their  respective  owners^^^^  ‘ 


trademarks  ol  Avaya  Inc.  and  may 


Case  Files 


Value  Systems 


EXPERT  ANALYSIS 

STAY  FOCUSED  ON 
STRATEGIC  VALUE 


Gopal  Kapur  is 
president  of  the  Center 
for  Project  Management. 
He  can  be  reached  at 
gkapur@center4pm.com. 


BY  GOPAL  K.  KAPUR 

IT  IS  CERTAINLY  GRATIFYING  to  read  about  a  CIO  who  is 

so  committed  to  financial  justification,  value  assessment 
and  the  strategic  alignment  of  projects  undertaken  by  his 
department.  He  is  certainly  outside  the  norm.  Our  research 
shows  that  more  than  50  percent  of  CIOs  do  not  have  a 
process  in  place  to  assess  IT  projects  for  their  value.  It  is 
also  gratifying  to  note  that  George  Germann  worked 
diligently  not  only  to  involve  the  CFO  and  his  department, 
but  also  to  develop  an  evaluation  methodology  suitable  for 
the  needs  of  the  entire  Visiting  Nurse  Service  of  New  York.  However,  I  would  like  to 
draw  attention  to  potential  weaknesses  and  suggest  some  remedies. 

It  should  come  as  no  surprise  that  modern  technology  can  have  a  rather  short 
shelf  life,  especially  embedded  software,  which  may  go  through  multiple  upgrades, 
resulting  in  unforeseen  costs.  Additionally,  the  cost  of  education,  training  and  support 
of  such  technology  can  be  three  to  five  times  its  purchase  price.  There  are  far  too 
many  examples  of  projects  where  such  costs  outstripped  any  promised  ROI.  Both 
Germann  and  CFO  Sam  Heller  need  to  make  sure  that  the  values  used  in  justifying 
any  project  cover  more  than  just  the  one-time  costs. 

IT  project  costs  are  grossly  underestimated,  at  times,  to  secure  management 
approval.  Therefore,  if  at  any  time  during  the  project  development  phase,  the 
estimate-to-complete  value  of  a  project  exceeds  the  original  estimate  used  to  justify 
it,  the  project  may  no  longer  be  financially  viable.  Our  experience  shows  that  few 
organizations  diligently  monitor  the  estimate-to-complete  metric. 

Value  is  in  the  eye  of  the  beholder  (customer).  Therefore,  CIOs  must  ensure  that 
sponsors  define  the  value  of  the  proposed  project  in  a  SMART  (specific,  measura¬ 
ble,  achievable,  relevant  to  strategy  and  time-bound)  manner.  If  they  can’t,  the 
project  is  still  a  half-baked  idea  and  should  not  be  approved. 

These  issues  aside,  I  again  congratulate  Germann  and  Heller  for  their  excellent 
work  in  instituting  a  project  value  assessment  process. 


fit,  service  value  and  compliance  value.  Project 
scores  are  plotted  on  a  graph  according  to 
their  value  and  risk  scores.  The  value  propo¬ 
sition,  or  how  much  value  the  project  is 
determined  to  bring  to  the  agency,  is  plot¬ 
ted  along  the  X  axis.  The  probability  of 
project  success,  which  incorporates  all  risk 
factors,  is  plotted  along  the  Y  axis.  Those 
projects  in  the  high-value,  low-risk  quadrant 
more  easily  receive  a  go-ahead.  Those  in  the 
low-value,  high-risk  quadrant  are  often 
bounced  back  to  the  project  sponsors. 

One  project  that  went  back  to  the  draw¬ 
ing  board  following  its  valuation  was  a  pro¬ 
posal  for  installing  a  new  time  and  labor 
tracking  system  that  would  automate  the 
existing  system.  The  VNS  currently  uses  scan 
cards  to  capture  payroll  information.  That 
project  was  evaluated  as  having  a  moderate 
to  high  risk,  and  given  a  value  score  of  only 
45  points,  so  it  was  rejected.  The  project 
sponsors  are  now  revisiting  the  proposal  and 
will  likely  present  their  plan  again. 

CONSOLIDATE  AND  SAVE 

Earlier  this  year,  Germann  and  his  colleagues, 
working  with  consultants  from  Forsythe 
Technology,  applied  their  IT  valuation 
methodology  to  reveal  a  significant  cost 
avoidance  by  revising  their  strategy  to  steadily 
increase  the  VNS’s  midrange  computing 
capacity  to  keep  pace  with  new  application 
deployment.  The  2002  budget  included  an 
upgrade  of  10  to  12  RS/6000  servers  over 
three  years.  These  servers  support  systems 
such  as  the  Visit  Documentation  System  that 
runs  on  tablet  computers  that  nurses  use  in 
the  field;  payroll  and  HR  systems;  a  new 
budgeting  system;  and  claims  and  remittance 
tracking  systems  required  for  HIPAA  com¬ 
pliance  and  other  agencywide  systems.  The 
total  cost  of  ownership  during  a  three-year 
period  for  these  upgraded  servers  was  $4.3 
million,  including  equipment  costs  and  depre¬ 
ciation,  maintenance,  IT  support,  even  electric 
power  and  floor  space  required  to  operate 
and  house  the  servers. 

This  approach,  while  necessary  to  support 
new  systems,  was  costly  and  fragmented. 
When  Germann  reviewed  the  usage  data  for 


his  server  farm,  he  found  a  high  percentage  of 
unused  capacity  in  several  of  the  servers, 
which  could  not  be  readily  shared  by  other 
applications.  The  existing  infrastructure  of 
nearly  30  application  systems  running  on  13 
servers  also  required  additional  IT  staff  to 
support  them,  higher  software  licensing  costs 
and  more  facilities  for  storing  the  servers. 

Germann  calculated  the  total  cost  of 
upgrading  servers  and  the  cost  of  consoli¬ 


dating  onto  an  IBM  p690  Regatta  server, 
and  found  the  three-year  total  cost  of  own¬ 
ership  for  the  consolidation  would  be 
$2.5  million — more  than  $1.8  million  less 
than  the  $4.3  million  TCO  for  upgrading 
the  10  to  12  servers.  Using  the  value 
methodology,  Germann  saw  that  apart  from 
the  hard-dollar  cost  avoidance  the  VNS 
would  realize  by  consolidating  on  the  p690, 
he  would  be  able  to  configure  multiple 


18  CIO  OCTOBER  15,  2003  •  www.cio.com 


Ellislsland.org  Welcomes 

70  Million  Visitors  a  Month 

With  Oracle,  HP  and  Red  Hat 


4 

_ W&WSESm _ _ 

iHBiarm™ 

LIBERTY 

ELLIS  ISLAND 

TM  1982, 1987  THE  STATUE  OF  LIBERTY-ELLIS  ISLAND  FOUNDATION,  INC. 


invent 


m  redhat. 


More  than  70  million  monthly  visitors  look  for  their  past 

with  the  IT  infrastructure  of  the  future: 
HP  Adaptive  Enterprise  Solutions, 
Red  Hat  Enterprise  Linux, 
and  Oracle  Database. 


oracle.com/hp 
or  call  1.800.633.0753 


Copyright  ©  2003,  Oracle  Corporation,  All  rights  reserved.  Oracle  is  a  registered  trademark  of  Oracle  Corporation  and/or  its  affiliates.  Other  names  may  be  trademarks  of  their  respective  owners. 


Dell  PowerEdge'"  6650  4P  servers  are 
powered  by  Intel®  Xeon™  processors. 


Want  the  full  value  of  migrating  to  Linux? 


25.85  sec 

89% 

Faster 


13.68  sec 


Dell/Linux  Sun/UNIX 
Oracle  9/  Oracle  9/ 


27% 

Less 

Expensive  m646 


$32,419 


Dell /Linux  Sun/UNIX 
Oracle  9/  Oracle  9/ 


Dell  PowerEdge"'  6650  4P  Server  and  Sun  Fire  V480  4P  Server 


Dell  j  Enterprise 

Last  year,  Dell  sold  more  Linux  servers  in  the  U.S.  than  any  other  server  vendor! 

And  here's  one  reason  why.  In  a  recent  Dell  test,  a  Dell/Oracle®  9//Linux  solution  running 
an  Intel®  Xeorf  processor-based  Dell  PowerEdge’1'  6650  4P  server  was  89%  faster  and 
27%  less  expensive  than  a  Sun  Fire  V480  4P  server  running  an  Oracle  9//Sun  Solaris 
solution.2  To  see  complete  test  results,  go  to  www.dell.com/migration20. 


There's  little,  if  any,  debate:  Migrating  from  UNIX  to  a  standards-based  solution  lowers 
cost  and  increases  flexibility.  Dell  gives  you  both  mind-bending  performance  and 
unparalleled  expertise,  all  at  a  great  value.  And  the  entire  solution  is  backed  by 
enterprise  level  24/7  service  and  support. 


The  migration  is  on.  Find  out  how  you  can  make  the  most  of  it  for  your  organization.  Call 
1-866-446-6215  or  go  to  the  Dell  UNIX  Migration  online  calculator 
at  www.dell.com/migration20  to  see  how  a  Dell  solution  can  lower 
your  migration  costs  and  help  simplify  the  transition. 


Leading  enterprise  solutions.  Easy  as 


D*LL 


Click  www.dell.com/migration20  Call  1-866-446-6215 

toll  free 

Based  on  IDC  Quarterly  Server  Tracker.  June  2003.  Tests  by  Dell  in  January  2003  on  baseball  database.  Dell  configuration:  Dell  PowerEdge  6650  server  with  four  2.0  GHz  Xeon  MP  processors,  Red  Hat  Linux  Advanced  Server  2.1,  3  Year  Gold  Support. 
°r  :e  $32,419  (www.dell.com,  7/1/03).  Sun  configuration:  Sun  Fire  V480  server  with  four  900  MHz  UltraSPARC  III  processors,  Solaris  9  (12/02  version).  3  Year  Gold  Support.  Price.  $44,646  (www.sun.com,  7/1/03).  For  details  and  results,  see: 
www.dell.com/migration. 

In  the  Intel  logo  and  Intel  Xeon  are  trademarks  or  registered  trademarks  of  Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries.  Dell,  the  Dell  logo  and  PowerEdge  are  registered  trademarks  of  Dell  Inc.  ©2003  Dell  Inc.  All 

rig  r  reserved. 


servers  in  a  single  platform  to  minimize 
unused  capacity,  keep  pace  with  increased 
application  storage  needs  and  improve  reli¬ 
ability  and  security. 

SHARING  OWNERSHIP 

Forcing  staffers  to  validate  and  demonstrate 
their  projects’  value  helps  them  assume  more 
ownership  of  projects.  The  valuation 
methodology  has  also 


made  the  operations 
side  more  involved 
throughout  a  project’s 
lifecycle.  “People  in 
operations  now  know 
that  we  are  scrutiniz¬ 
ing  projects,”  says  Sam  Heller,  CFO  of  the 
VNS.  “We’re  looking  not  only  at  initial  ROI, 
but  down  the  road,  whether  the  ROI  that 
was  projected  actually  occurred.  People  are 
becoming  much  more  accountable  and  seri¬ 
ous  about  the  process.” 

While  ROI  is  important,  it’s  not  the  only 
issue.  “ROI  has  high  weight,  but  we  would 
do  a  project  that  has  high  strategic  value,” 
Heller  says.  “Sometimes  we  do  projects 
even  though  the  ROI  is  not  very  positive  or 
if  it’s  hard  to  define.” 

Besides  ensuring  the  proper  level  of  value 
for  each  Fr  project,  another  significant  ben¬ 
efit  of  applying  this  valuation  methodology 
is  that  it  has  fostered  an  increased  level  of 
understanding  and  alignment  between  the 
business  and  operations  side  and  Ger- 
mann’s  IT  group.  “It  isn’t  simply  IS  making 
arbitrary  decisions  about  which  projects  get 
funded  and  which  don’t,”  Germann  says, 

Heller  agrees  that  the  valuation  process 
has  helped  both  business  and  IT  see  each 
other’s  point  of  view.  “It  has  given  opera¬ 
tions  some  insight  into  how  IS  makes  deci¬ 
sions  and  what  their  issues  are,”  he  says. 

TWEAKS  AND 
REFINEMENTS 

The  VNS  has  been  using  and  refining  its  val¬ 
uation  methodology  for  about  three  years, 
and  Germann  says  it  is  continuously  being 
refined.  Instilling  the  discipline  in  VNS 
staffers  and  executives  to  thoroughly  evalu- 


Learn  More  About  the  VNS’s  Process 


Case  Files  |  Value  Systems 

ate  all  the  financial  and  nonfinancial  success 
factors  of  each  project  was  the  greatest  chal¬ 
lenge,  he  says. 

The  other  major  challenge  was  defining 
economic  value.  Germann  says  developing 
the  five-point  scale  for  scoring  strategic  align¬ 
ment,  service  improvement  and  regulatory 
compliance  was  relatively  easy.  Defining 
quantitative  economic  value  was  more  diffi¬ 
cult.  While  determin- 


How  do  they  do  it?  See  the  VNS's  process 
for  selecting  IT  projects  in  a  nutshell  with  a 

VALUATION  FLOWCHART.  Great  for  sharing 
with  your  colleagues.  Find  the  chart  at 
www.cio.com/printlinks. 

cio.com 


mg  one-time  costs 
and  project  lifecycle 
run  rates  provides  a 
straightforward  esti¬ 
mate,  the  difficulty  lay 
in  deciding  whether 
to  account  for  the  cost  as  direct  savings,  cost 
avoidance  or  revenue  enhancement.  To  sim¬ 
plify  that  step,  he  quantifies  the  cost  benefit 
on  a  numeric  scale  using  an  internal  rate 
of  return. 

The  agency  is  now  working  on  adding 
post-implementation  audits  to  the  project 
lifecycle.  “After  several  years  have  gone  by, 
are  we  really  achieving  the  results  that  we 
intended?”  Germann  asks.  “And  if  not, 
what  can  we  do  going  forward  to  achieve 
those  results  or  modify  our  project  selec¬ 
tion  in  the  future?” 

ALL ABOUT VALUE 

Value  is  now  as  critical  a  success  factor  as 
deadlines  and  dollars.  And  the  ability  to  quan¬ 
tify  the  business  value  of  nonfinancial  factors 
like  strategic  alignment  and  improving  service 
value  has  helped  cast  an  objective  lens  to  val¬ 
idating  and  approving  IT  projects.  But  ulti¬ 
mately,  providing  the  greatest  quality  of  care 
is  the  VNS’s  number-one  goal.  The  manner  in 
which  this  methodology  helps  focus  decision 
making  on  that  goal  helps  everyone  within 
the  agency,  says  Jimenez.  “The  way  decisions 
are  made,  they  focus  on  projects  that  will  pro¬ 
vide  the  greatest  gains  for  the  largest  number 
of  users,”  she  says.  BE] 

E-mail  your  feedback  on  this  article  to  Features 
Editor  Late  Low  at  llow@cio.com,  and  send  your 
value  stories  to  Special  Projects  Editor  Mindy 
Blodgett  at  mblodgett@cio.com. 


Visit  www.dell.com/migration20  and  go  to  the 
Dell  UNIX  Migration  online  calculator  for  a  free 
migration  assessment.  Dell  offers  a  host  of  end- 
to-end  migration  services,  including  those  for 
Oracle®  9/.  Call  1-866-446-6215  today  to  speak 
with  a  Dell  representative.  Together,  you  can 
assess  your  individual  needs  and  then  develop  a 
cost-effective  plan  for  UNIX  migration. 


Easy  as 


EK4.L 


Call  1-866-446-6215 

toll  free 

Click  www.dell.com/migration20 


www.cio.com  •  OCTOBER  15,  2003  CIO  121 


Reality  Bytes 

A  Cold  Look  at  Hot  Trends 


Who’s  the  Boss? 


CIOs  need  to  learn  to  tailor  messages  to  the 
decision-makers  they’re  addressing 


BY  MEGAN  SANTOSUS 


TIMES  ARE  TOUGH  FOR  CIOs.  Along  with  dwindling  IT  budgets,  their 
power  and  influence  is  on  the  wane  as  well.  Having  shelled 
out  big  bucks  on  technology  just  a  few  years  ago — with  little 
evidence  of  a  direct  payback — many  companies  are  reeling, 
and  the  guys  in  charge  of  the  technology  are  the  most  obvious 
scapegoats.  (For  more  on  this  sad  theme,  see  “The  Incredible 
Shrinking  CIO”  on  Page  66.) 

Hey,  somebody’s  gotta  take  the  blame,  and  it  might  as  well 
be  the  IT  guy. 

CIOs,  like  the  rest  of  us,  are  hoping  that  the  economy 
improves;  perhaps  then  they  will  regain  their  former  luster.  But 
CIOs  shouldn’t  wait  passively  until  things  start  looking  up. 
They  can  and  should  hone  their  abilities  to  win  friends  among 
and  influence  their  executive  colleagues.  While  the  economy 
will  eventually  get  better  (it’s  gotta,  right?),  there’s  no  guaran¬ 
tee  that  the  days  when  technology  sold  itself  will  ever  return.  As 
stewards  of  corporate  IT,  CIOs  have  to  do  a  better  job  selling 
the  merits  of  the  technologies  that  they  believe  will  benefit  their 
organizations.  And  like  all  good  salesmen  from  time  imme¬ 
morial,  CIOs  need  to  fit  their  messages  to  the  audience. 


That’s  why  recent  research  on  executive  persuasion  con¬ 
ducted  by  consulting  company  Miller-Williams  sounds  intrigu¬ 
ing.  In  a  two-and-a-half-year  study  of  nearly  1,700  executives, 
the  company  found  that  more  than  half  of  all  presentations 
given  to  executives  had  little  or  no  chance  of  striking  a  chord 
because  they  didn’t  match  up  with  an  individual  executive’s 
decision-making  style.  As  Miller-Williams  sees  it,  decision¬ 
making  styles  fall  into  one  of  five  categories:  charismatic, 
thinker,  skeptic,  follower  and  controller.  The  category  can  tell 
you  what  information  an  executive  needs  to  make  a  decision 
and  in  what  order  he  needs  to  get  it.  If  your  presentation  isn’t 
geared  for  the  executive  responsible  for  approving  your  project, 
there’s  a  good  chance  your  message  will  fall  on  deaf  ears.  For 
CIOs  looking  to  get  budgets  and  projects  approved,  sounding 
the  wrong  chord  has  serious  implications.  “There  are  probably 
many  great  IT  projects  that  should  have  been  approved,  but 


12  2  CIO  OCTOBER  15,  2003 


www.cio.com 


ILLUSTRATION  BY  PAUL  HOWALT 


It's  OK  to  show  off  to  your 
friends  that  you  were  in  CIO. 


But  it's  even  better  to 
show  your  customers. 


% 


What  better  way  to  inform  your  key  cus¬ 
tomers  of  your  editorial  coverage  in  CIO 
than  through  customized  Editorial 
Reprints? 

Leverage  the  positive  impact  of 
your  editorial  coverage  by  using 
reprints  for  direct  mail  campaigns,  seminar 
promotions,  employee  communications,  recruiting 


m 


and  marketing  programs.  Let  us  enhance 
your  reprints  with  your  company's  logo, 
address,  and  sales  message.  Reprints 
make  great  SALES  tools  for  trade  shows, 
mailings  or  media  kits. 

And  while  a  framed  copy  of  your  article 
will  look  neat  on  your  wall,  it  will  look  even 
better  in  the  hands  of  vour  customers. 


Reprint  ©  S 


For  more  information  on  customized  editorial  reprints  in  volume  quantities,  contact  Chad  Johnston  at  651-582-3817 
or  cwjohnston@reprintservices.com  or  visit  our  website  at  cio.com/marketing  and  click  on  reprints. 


Reality  Bytes 


they  weren’t,  just  because  of  the  way  CIOs  pitched  them,”  says 
Gary  Williams,  president  and  CEO  of  Miller- Williams. 

Profiles  in  Personality 

Here’s  a  snapshot  of  each  decision-making  style. 

Charismatic:  These  are  big-idea  kinds  of  people  along  the 
lines  of  Richard  Branson,  Lee  Iacocca  and  Jack  Welch.  One  of 
the  ways  to  recognize  that  you’re  dealing  with  a  charismatic 
type  is  that  they  tend  to  take  control  of  meetings  in  search  of 
the  big  concept.  “If  you  have  a  presentation  with  125  slides  or 
a  big  report,  a  charismatic  wants  all  that  information  con¬ 
densed  into  one  diagram,”  says  Williams.  Initially,  a  charis¬ 


Decision-making  styles  fall  into  one  of  five 
categories:  charismatic,  thinker,  skeptic,  follower 
and  controller.  The  category  can  tell  you  what 
information  an  executive  needs  to  make  a  decision 
and  in  what  order  he  needs  to  get  it. 


matic  says  yes  a  lot,  but  don’t  be  fooled;  they  tend  to  delegate 
a  lot  of  the  details  to  others.  A  charismatic’s  initial  affirmation 
often  hits  roadblocks  when  it  comes  to  implementation.  So  be 
prepared  to  appease  different  styles  of  decision-makers  down 
the  road. 

Thinker:  These  folks  are  very  attentive,  very  process- 
oriented  and  want  to  know  lots  of  step-by-step  details.  “If 
they  see  that  slide  101  of  your  presentation  doesn’t  jibe  with 
slide  18,  they’ll  tell  you,”  says  Williams.  A  talent  for  mathe¬ 
matics  and  a  relentless  focus  on  the  numbers  characterize 
thinkers,  who  often  complement  the  decision-making  style  of 
charismatics.  Well-known  thinkers  include  Michael  Dell,  Alan 
Greenspan,  Bill  Gates  and  the  late  Katharine  Graham.  Inci¬ 
dentally,  Microsoft’s  Steve  Ballmer  happens  to  be  a  charis¬ 
matic,  which  may  explain  why  he  and  Gates  are  still  working 
together  after  all  these  years. 

Skeptic:  As  the  label  implies,  skeptics  question  everything,  so 
do  your  homework  and  be  prepared.  Think  of  Steve  Case, 
Larry  Ellison  and  Tom  Siebel.  Along  with  taking  everything 
with  a  few  pounds  of  salt,  skeptics  factor  in  the  credibility  of  the 
person  pitching  a  proposal.  To  persuade  a  skeptic,  a  good 
approach  is  to  first  identify  one  of  his  trusted  cohorts,  either 
inside  or  outside  the  company,  and  then  recruit  said  cohort  to 
your  side  of  the  argument. 

Follower:  While  many  people  don’t  associate  following  with 
leadership,  Williams  says  that  in  reality  about  36  percent  of 


all  executives  fall  into  this  category,  making  it  the  most  common 
of  the  five  decision-making  styles.  Before  they  implement  any 
project,  followers  want  ironclad  proof  that  it  already  has 
worked  somewhere  else.  Hence,  case  studies,  testimonials  and 
best  practices  are  the  best  ways  to  win  a  follower’s  green  light. 
According  to  Williams,  followers  can  be  tricky  to  identify. 
Many,  such  as  HP’s  Carly  Liorina,  appear  to  be  charismatic 
types,  but  if  you  look  at  how  they  operate  “you’ll  see  that 
there’s  a  fear  factor  at  work,”  Williams  says.  The  key  to  getting 
buy-in  from  these  folks  is  assuaging  their  concerns  every  step  of 
the  way. 

Controller:  Martha  Stewart  and  Ross  Perot  are  the  poster 
children.  Controllers  are  the  toughest 
breed  of  decision-makers  to  deal  with, 
says  Williams,  because  they  think  they 
know  everything.  Williams  suggests  tak¬ 
ing  a  contrarian  approach  when  working 
with  them.  “Don’t  try  to  persuade  them. 
Peed  them  enough  data  so  that  they  can 
persuade  themselves,”  he  says.  Often, 
controllers  need  an  object  lesson — an 
external  event,  such  as  a  revenue  loss — 
to  trigger  any  decision  that  requires  them 
to  change  their  way  of  thinking.  One  of 
the  best  cards  to  play  is  bringing  up  any  competitor-related 
information.  “Think  of  it  as  giving  them  permission  to  change 
their  mind,”  he  says. 


Actions,  Not  Words 

Decision-making  styles  are  behavior-based,  so  the  key  to 
correctly  identifying  an  executive’s  tendency  is  to  pay  attention 
to  what  she  does,  not  what  she  says.  “Once  you’ve  identified 
what  decision  style  an  executive  has,  you  can  feed  them  the 
right  data  and  information  in  the  right  order  so  they  can  prop¬ 
erly  evaluate  the  proposal  in  the  right  context,”  says  Williams. 
While  behaviors  can  change  from  one  situation  to  the  next, 
most  executives  do  have  a  default  style  that  will  guide  most  of 
their  decisions,  so  that’s  the  one  to  pay  attention  to. 

Lor  years,  CIOs  have  been  told  (by  this  magazine  as  well  as 
through  many  other  channels)  that  they  have  to  improve  their 
communication  skills.  That’s  certainly  true,  but  it  doesn’t  tell 
the  whole  story.  Communicating  effectively  requires  more  than 
just  a  well-articulated  message;  it  requires  a  well-articulated 
message  delivered  in  a  manner  that  resonates  with  its  target 
audience.  It’s  time  to  get  with  the  program. 

Your  future  as  a  strategic  executive  may 
depend  on  it.  QE3 


Opinion  and  Knowledge  Management  Editor  Megan 
Santosus  can  be  reached  at  msantosus@cio.com . 


1  2  4  CIO  OCTOBER  15,  2003  •  www.cio.com 


PHOTO  BY  LESLIE  FEAGLEY 


Any  system  can  store  data. 


You  need  to  store  content. 


Training  video  is  content.  Seismic  studies  are  content.  And  so  are  CAT 
scan  images,  PDF  files,  audio  clips  and  presentations.  According  to  the 
analysts,  an  avalanche  of  content  is  about  to  land  on  top  of  your  data  center. 
Are  you  ready?  With  a  Sony  PetaSite®  data  tape  library,  you  will  be. 

Sony's  PetaSite  libraries  extend  beyond  terabytes  into  petabytes— to 
keep  abreast  of  your  growing  storage  needs.  SAIT  PetaSite  libraries 
leverage  the  world's  highest  capacity  data  cartridge’— SAIT— to  achieve 
the  highest  storage  density.  So  you  save  precious  data  center  space.  SAIT 
also  offers  the  lowest  tape  cost  per  gigabyte."  So  you  save  money.  Or 
choose  Sony's  DTF-2  PetaSite  libraries,  which  have  lightning-fast  loading 
and  file  access.  So  you  also  save  time. 


Sony  PetaSite  libraries  are  ideal  for  backup,  archiving  and  Hierarchical 
Storage  Management.  Sony  PetaBack®  and  PetaServe®  solutions  give 
you  even  greater  flexibility. 

Sony  PetaSite  libraries.  The  Work  Smart  solution  for  storing  content. 
Work  Smart.  Work  Sony. 

^Source:  Storage  Analytics'  Tape  Format  Facts,  1/24/03 
**Media  comparison  based  on  MSRPs  of  SAIT,  LTO,  AIT-3  and  SDLT  mid-range  formats  as  featured  in  CDW,  1/23/03 


VISIT  WWW.SONY.COM/DATASYSTEMS  OR  CALL  800-829-7669  FOR 
MORE  INFORMATION  ON  SONY'S  PETASITE  SOLUTIONS. 


TAPEDRIVES 

SERVE 

BACK 


©  2003  Sony  Electronics  Inc.  All  rights  reserved.  Reproduction  in  whole  or  in  part  without  written  permission  is  prohibited.  Features  and  specifications  are  subject  to  change  without  notice.  Sony,  PetaBack,  PetaServe  and  PetaSite  are  trademarks  of  Sony. 


Career  Counsel 

Expert  Advice  to  Aspiring  CIOs  and  IT  Managers 


How  to  Stand 
Out  in  the 
Crowd 

When  being  different  is  good 

Q:  I’m  at  a  director  level  and  want  to  take  the  next  step.  Place¬ 
ment  on  boards  (either  at  small  companies  or  nonprofits) 
seems  to  be  a  good  differentiator.  Is  this  accurate?  What  are 
some  strategies  I  can  pursue  to  gain  such  placements? 

A:  Becoming  a  board  member  can  be  a  positive  professional 
move  for  all  involved.  A  nonprofit  organization  would  ben¬ 
efit  from  your  willingness  to  contribute  your  time  and 
insight.  And  a  small  company  typically  dealing  with  issues 
of  growth  would  also  benefit  from  your  experience.  Don’t 
underestimate  the  insight  you  will  gain  dealing  with  the 
problems  of  smaller  organizations,  and  the  broader  expo¬ 
sure  to  operating  and  corporate  policy  issues  beyond  infor¬ 
mation  technology. 

If  you  are  interested  in  a  particular  nonprofit,  identify  the 
existing  members  of  the  board  and  contact  the  president  to 
inform  him  of  your  interest,  and  indicate  your  willingness  to 
help.  Offer  to  take  on  a  project  or  provide  some  insight.  This 
will  give  you  a  look  at  the  organization  as  well  as  provide  the 
leadership  of  the  organization  a  look  at  you.  If  you  can  offer  a 
professional  service  that  is  required  by  the  organization,  con- 

2  6  CIO  OCTOBER  15,  2003  •  www.cio.com 


sider  providing  it  pro  bono  in  return  for  a  board  seat. 

Approaching  for-profit  companies  requires  different  tactics. 
My  recommendation  here  is  for  you  to  identify  and  approach  the 
investors.  Most  smaller  companies  are  funded  by  venture  capital 
or  private  equity  organizations.  I  suggest  you  identify  which  ones 
are  active  in  your  area  and  reach  out  to  introduce  yourself.  Make 
sure  you  have  a  current  resume,  and  be  prepared  to  review  your 
credentials  with  a  partner.  Do  some  homework  prior  to  your 
meeting;  most  investment  firms  publish  a  list  of  the  portfolio 
companies  on  their  websites,  and  it  would  be  helpful  for  you  to 
know  the  companies  the  firm  has  funded  before  any  meeting. 

Finally,  you  might  consider  targeting  an  industry.  For 
instance,  if  you  possess  deep  telecommunications  expertise  and 
are  aware  of  the  “issues  of  the  day,”  target  the  VCs  and  private 
equity  firms  that  concentrate  on  this  industry,  as  your  experi¬ 
ence  will  resonate  a  little  better. 


ILLUSTRATION  BY  CHRISTOPH  HITZ 


In  the  world  of  IT,  there’s 
always  something  new. 

And  there’s  nobody  better 
to  help  navigate  technology’s 
latest  and  greatest  than 
a  Microsoft®  Gold  Certified 
Partner  for  Learning  Solu¬ 
tions.  They’re  an  elite  group 
of  enterprise  level  training 
partners  proven  to  be  the 
best  in  the  business.  With 
credentials  you  won’t  find 
anywhere  else,  they  provide 
customized  courses  based 
on  assessed  needs.  And 
because  they’ve  done  it 
time  and  again,  you  know 
your  staff  is  in  the  best 
hands  possible.  They  stay 
ahead  of  technology,  so  you 
can  stay  ahead  of  everyone 
else.  Find  out  more  by  con¬ 
tacting  one  of  these  Gold 
Certified  Partners. 

Locate  a  Microsoft  Gold 
Certified  Partner  for  Learning 
Solutions  near  you  at: 

http://www.microsoft.com/ 

training/goldctec 


How  IT  experts 
stay  that  way. 


©  2003  Microsoft  Corporation.  All  rights 
reserved.  Microsoft  is  a  registered  trademark 
of  Microsoft  Corporation  in  the  United  States 
and/or  other  countries. 


Microsoft 

GOLD  CERTIFIED 


Partner 


Career  Counsel 


A  word  of  warning:  If  you  sign  up  for  a  board  position,  you 
need  to  recognize  it  as  a  commitment  to  keep.  You  need  to  be 
present  at  the  board  meetings  and  attend  the  required  func¬ 
tions.  This  may  seem  obvious,  but  I  have  seen  directors  sign  up 
for  multiple  boards  only  to  be  “overcome  by  events”  and  miss 
half  the  meetings. 

-Gerry  McNamara, 
Partner  of  Heidrick  &  Struggles 

A  BUDGET  BUSTER? 

Q:  I  have  been  in  IT  for  the  past  10  years  with  various  roles 
under  my  belt  (engagement  manager,  account  manager  and 
project  manager)  from  a  Big  Five  consultancy  and  leading 
e-business  product  companies.  I  have  an  MBA.  To  transition 
into  a  senior  IT  management  role  in  a  company,  it  looks  like 
one  needs  to  have  managed  budgets.  This  is  one  skill  I  do  not 
have,  even  though  I  have  indirectly  managed  a  budget  and 
resources  by  leading  large  projects  for  clients.  How  should  I 
position  this  when  I  am  applying  for  a  director  or  senior  direc¬ 
tor  role?  Do  I  need  any  other  experiences  to  make  this  leap? 

A:  To  overcome  the  concern  that  you  lack  budgetary  man¬ 
agement,  you  need  to  be  able  to  talk  about  project  costs  that 
you  or  your  boss  managed,  even  if  your  contribution  was 
not  direct.  Emphasize  your  project  planning  and  process 
skills,  the  dollars  spent  on  the  project  and  indicate  where 
you  came  in  on  time  and  within  budget.  If  you  do  not  have 
enough  hard  information  about  the  budget,  you  should  talk 
with  your  clients  or  boss  and  gather  some  facts.  You  never 
want  to  misstate  your  responsibility,  but  you  need  to  indi¬ 
cate  that  there  was  a  budget  and  that  you  were  involved  at 


Becoming  a  board  member  can  be  a  positive  profes¬ 
sional  move,  but  don’t  underestimate  the  insight 
you  will  gain  dealing  with  operating  and  corporate 
policy  issues  beyond  information  technology. 


some  level  in  its  management  and  control. 

In  addition,  try  to  talk  to  some  directors  and  vice  presidents  of 
IT  to  find  out  what  they  do  in  planning  and  managing  their 
budgets.  This  will  help  you  ask  intelligent  quesdons  about  a  com¬ 
pany’s  budgetary  processes  and  show  that  you  are  interested. 

-Beverly  Lieberman, 
President  of  Halbrecht  Lieberman  Associates 

THE  SCHOOL  DIFFERENTIATOR? 

Q:  I  am  currently  working  as  CIO  for  an  investment  advisory 


firm.  I  have  a  bachelor’s  in  accounting  and  a  master’s  in  infor¬ 
mation  science.  Should  I  pursue  industry-specific  credentials, 
such  as  Series  7  or  Certified  Financial  Planner,  or  go  back  to 
school  for  an  MBA? 

A:  The  pursuit  of  additional  education  should  be  considered 
in  the  context  of  where  you  want  to  head  in  your  career. 
Getting  a  Series  7  and  the  Certified  Financial  Planner  cre¬ 
dentials  is  great  if  you  want  to  stay  in  the  investment  field 
and  possibly  expand  your  role  outside  of  IT. 

However,  if  you  want  to  prepare  for  continuing  your  career 
growth  in  general  management  in  or  out  of  financial  services, 
then  an  MBA  is  an  important  credential.  Outside  of  the  invest¬ 
ment  field,  the  MBA  is  the  more  broadly  recognized  degree 
that  is  considered  suitable  for  senior  executives. 

-B.L. 

TIME  DIFFERENTIAL? 

Q:  Are  there  any  part-time  positions  or  job-sharing  positions 
for  senior  management  in  IT? 

A:  I  have  not  heard  of  job-sharing  arrangements  for  senior- 
level  IT  people.  If  they  exist,  employers  created  them  to 
accommodate  specific  people  who  have  worked  for  them 
and  have  a  need  to  be  part  time.  I  think  part-time  arrange¬ 
ments  are  more  abundant  for  individual  contributor  roles 
such  as  programmers. 

-B.L. 


BRIDGING  THE  GREAT  DIVIDE 

Q:  My  IT  team  is  split  between  highly  technical  resources  and 
nontechnical  businesspeople.  There  is  a  lack  of  respect  from 

the  techies.  How  do  I  help  them  over¬ 
come  this  and  convince  them  one  can 
be  a  good  manager  without  being  highly 
technical? 

A:  This  sounds  like  a  test  and  challenge 
of  your  leadership  skills,  and  it  is  a 
prevalent  one  in  most  organizations. 
The  skill  sets  required  in  the  IT  organi¬ 
zation  have  changed  over  time,  result¬ 
ing  in  a  mix  of  skills  and  experiences 
dramatically  different  from  that  of  the  past. 

Your  leadership  is  more  important  now  than  ever  before. 
Make  sure  you  have  a  crisp  vision  for  where  your  organization 
is  going,  that  everyone  understands  the  organization’s  mission 
and  that  each  person  knows  how  she  can  contribute.  You  must 
have  all  of  this  in  writing,  disseminate  it  and  make  sure  you 
communicate,  communicate,  communicate! 

A  basketball  team  does  not  have  five  guards  or  five  centers. 
There  is  a  center,  two  forwards  and  two  guards  on  the  floor  at 
any  one  time,  each  with  a  particular  assignment.  When  each  of 


'28  CIO  OCTOBER  15,  2003  •  www.cio.com 


CIO  ADVERTISING  SUPPLEMENT 


WhalJEvery  IT  Leader 

Needs  to  Know 

A  Guide  to  Getting  the  Most  out  of  Microsoft's 
Software  Assurance  for  Volume  Licensing 


T'S  EASY  TO  SEE  THE  VALUE  OF  SOFTWARE. 

After  all,  we’re  talking  about  technology  that  runs 
the  global  economy  and  increases  worker  productivi¬ 
ty  in  ways  unimaginable  even  three  years  ago. 

Yet  when  it  comes  to  software  licensing,  CIOs  have 
struggled  for  years  to  articulate  the  value  of  their 
agreements  in  terms  that  their  business  peers  can 
embrace.  This  struggle  has  only  intensified  in  recent 
years,  in  response  to  boardroom-level  pressure  to 
drive  down  costs.  Software  licenses  and  support  are 
prime  cost-reduction  targets,  made  even  more  vul¬ 
nerable  because  they  often  exist  as  separate  budget¬ 
ary  items  that  renew  on  separate  schedules.  As  a 
result,  CIOs  are  taking  a  long,  hard  look  at  their  cur¬ 
rent  licensing  options,  and  the  upshot  is  clear:  they 
need  a  clear  value  proposition. 

“I’m  the  one  who  has  to  worry  about  licensing  and 
support  and  getting  approval  from  the  president  of 
the  company,”  says  Joe  Brunner,  MIS  manager  at 
Sleepeck  Printing  Co.  in  Bellwood,  Ill.  “For  me  to 
sell  it,  my  bosses  need  to  be  able  to  understand 
what  we  are  getting  in  return.” 

And  for  many  companies,  the  new  version  rights 
that  come  along  with  the  acquisition  of  a  Software 
Assurance  (SA)  are  just  not  enough. 

“Many  clients  are  looking  for  more  value,  or  at  least 
they  have  to  have  better  justification,”  says  A1 
Gillen,  research  director,  systems  software,  at  IDC, 
a  research  company  in  Framingham,  Mass.  “If 
they’re  going  to  buy  SA,  they  need  to  know  the 
specific  value  that  will  come  out  of  it.” 

That’s  why  Microsoft®  has  announced  major  enhan¬ 
cements  to  Microsoft  Software  Assurance  for  volume 
licensing,  adding  richer  benefits  and  features  that 
CIOs  can  use  to  drive  home  the  business  value  of 
Software  Assurance.  While  Software  Assurance  ben¬ 
efits  vary  by  licensing  program,  in  general  the  new 


Microsoft's  newly-enhanced  Software  Assurance  plan  delivers 
greater  investment  value  by  offering: 

■  Streamlined  support  and  spread  out  licensing  payment  schedule, 
giving  CIOs  the  ability  to  predict  their  budget  with  more  confidence; 

■  Access  to  support  and  tools  such  as  TechNet  Plus  and  Problem 
Resolution  Support,  adding  another  layer  of  assistance  to  the  IT  envir¬ 
onment; 

■  Features  such  as  eLearning  and  the  Home  Use  Program,  which  help 
companies  add  business  value  by  working  smarter. 


Custom  Publishing 


Microsoft 


si 


CIO  ADVERTISING  SUPPLEMENT 


benefits  offer: 

■  Increased  productivity  and  efficiency — With 
such  features  as  the  Home  Use  Program  and 
training  vouchers  for  users  and  technical  staff, 
Microsoft  Software  Assurance  for  volume  licens¬ 
ing  can  help  boost  corporate  productivity  by 
making  it  simple  to  work  more  knowledgeably 
and  flexibly. 


the  essential  elements  of 
microsoft  software 


;rosoft  softv 


ssurance 

Tlul  I 


* %  § 


Spread  Out  Payments 
Home  Use  Program  for  Microsoft 
Office  System  only 
New  Version  Rights 
Employee  Purchase  Program 


■  Streamlined  and  reduced  software  license  pay¬ 
ments — Software  Assurance  means  that  CIOs 
can  dispense  with  the  complexity  of  separate 
licensing  and  support  programs,  moving  license 
payments  into  a  single  sum  that  generally  is 
lower  than  the  previous  options.  Depending  on 
the  program,  the  features  vary. 

■  Easier  budgeting — Software  Assurance  cus¬ 
tomers  can  spread  out  software  payments  to 
keep  the  budget  line  items  flat — and  the  CFO 
happy. 

■  Built-in  support  costs — Using  Software  Assur¬ 
ance  means  that  support  costs  go  down,  as  fea¬ 
tures  such  as  eLearning  and  TechNet  Online  Con¬ 
cierge  Chat  enable  CIOs  to  stretch  their  budgets. 

“It’s  time  to  sit  down  and  do 
the  business  impact  analysis 
again,”  says  Julie  Giera,  a 
research  fellow  at  Forrester 
Research  in  Cambridge, 
Mass.  “CIOs  will  find  not 
only  productivity  benefits 
for  corporate  workers,  but 
there  will  be  real  dollars 
added  to  the  budget  as  a 
result  of  the  SA  enhance¬ 
ments.  I  think  if  you  add  up  the  business  impact 
of  all  these  enhancements,  from  eLearning  to 
training  vouchers,  the  total  business  value  of  SA 
is  going  to  far  outstrip  the  cost  of  the  product. 
Large  companies  can  save  as  much  as  20  per¬ 
cent,  and  that’s  a  big  number.” 

The  enhancements  to  Software  Assurance  fall 
into  four  key  areas:  productivity,  support,  tools 
and  training.  Each  enhancement  is  designed  to 
help  companies  use  Software  Assurance  to  build 
business  value,  whether  it  is  by  helping  workers 
use  Microsoft  software  more  effectively,  or  by 
cutting  IT  costs  through  enhanced  support 
options. 

These  new  enhancements  are  just  being  rolled 
out  to  customers  now,  but  industry  analysts  al¬ 
ready  have  given  them  high  marks. 


“There’s  no  question  that  Microsoft  is  provid¬ 
ing  more  value  from  SA,”  says  IDC’s  Gillen. 
“They’ve  raised  the  bar,  giving  customers  a  lot 
more  value  at  the  expense  of  Microsoft.” 

To  summarize  the  new  Software  Assurance 
enhancements: 

Productivity 

Software  Assurance  features  help  corporations 
increase  employee  productivity  in  a  number  of 
ways.  The  Home  Use  Program  for  Microsoft 
Office®  System,  for  example,  allows  workers  to 
install  copies  of  Microsoft  Office  software  on 
their  home  computers  for  free,  thus  contributing 
to  flexible,  “anytime,  anywhere”  work  hours  for 
many  knowledge  workers. 

“Home  use  rights  are  a  big  thing,”  says  John 
McGrath,  software  licensing  specialist  at  Bell 
Techlogix  Group  in  Indianapolis,  Ind.  “It’s  key 
for  everybody  in  terms  of  productivity,  espec¬ 
ially  with  budgets  the  way  they  are  these  days.” 
McGrath  also  likes  the  Employee  Purchase 
Program,  which  lets  employees  purchase  up  to 
three  copies  of  certain  software  titles  at  a  dis¬ 
counted  rate.  “From  the  employee  standpoint, 


S2 


CIO  ADVERTISING  SUPPLEMENT 


that  benefit  is  even  better,  and  it  will  help  im¬ 
prove  employee  satisfaction,”  he  says. 

CIOs  also  retain  the  new  version  rights  under 
Software  Assurance,  entitling  them  to  new  ver¬ 
sion  rights  as  they  become  available  during  the 
term  of  their  agreement,  and  streamlining  the 
entire  licensing  process.  Software  Assurance  also 
helps  with  budget  control  by  allowing  IS  execu¬ 
tives  to  spread  out  their  payments.  “One  of  the 
things  that  financial  people  love  is  a  flat  budg¬ 
et — you  can’t  increase  the  budget  by  more  than 
3  percent  over  last  year,  for  example,”  says  Alvin 
Park,  research  director  at  Gartner,  a  research 
company  in  Stamford,  Conn.  “If  you  get  into  this 
kind  of  program,  the  cost  remains  flat  every  year. 
You  don’t  have  to  go  through  the  pain  and  agony 
of  asking  for  a  big  chunk  of  money  every  three  or 
four  years.  ” 

Support  and  Tools 

CIOs  can  take  advantage  of  the  extensive  array 
of  support  features  and  tools  that  Microsoft  has 
added  across  the  licensing  platforms  of  Software 
Assurance  to  help  their  IT  staff  resolve  issues 
faster  and  more  efficiently — and  save  money  in 


■  ■  I 


the  process. 

For  example,  TechNet 
Plus,  an  extensive  series  of 
CD-ROM  media  containing 
new  product  and  other  infor¬ 
mation,  is  now  also  rolled 
into  Software  Assurance.  “If 
you’ve  been  paying  for  sever¬ 
al  subscriptions,  this  would 
be  a  way  to  save  money, 
since  it  now  comes  with  SA,” 
notes  Park. 

McGrath  says  that  in  his  talks  with  clients,  this 
feature,  plus  Problem  Resolution  Support,  has 
gotten  the  most  attention.  “Getting  hold  of  the 
latest  and  greatest,  or  [being  able  to]  more  easily 
deploy  what  they  have — that’s  what  IT  guys  live 
for,”  says  McGrath. 

Depending  on  the  program  you’re  in,  Problem 
Resolution  Support,  in  which  standard  edition 
server  Software  Assurance  customers  have  access 
to  web  support  and  enterprise  edition  server 
Software  Assurance  clients  have  access  to  both 
web  and  phone  support,  is  one  of  the  biggest 
new  features,  Park  says.  “That  has  to  be  the 


the  essential  elements  of 
microsoft  software  assurance 

&  TOOLS 


TechNet  Online  Concierge  Chat 
TechNet  Plus 

Problem  Resolution  Support 
Extended  Lifecycle  Hotfix  Support 
Microsoft  Windows  Preinstallation 
Environment  Tool 


CIOs  Need  to  Know  About 
Microsoft’s  Software  Assurance 


It's  a  productivity  booster.  "CIOs  need  to  think  about 
the  overall  effect  of  getting  more  productivity  out  of 
employees  across  the  company.  If  you  get  free  home 
use  rights  for  the  software,  you'll  get  more  productiv¬ 
ity  out  of  employees  because  they'll  take  work  home 
and  do  it  then."  — alvin  park,  gartner 


It  has  demonstrable  business  value.  "The  less  obvi¬ 
ous  features  and  functions  of  SA  will  have  even 
more  of  an  impact  on  the  business.  Look  at  corporate 
error  reporting  and  the  control  available  inside  IT. 

You  can  get  good  IT  folks  to  do  trend  analysis  and 
see  problems  before  they  impact  the  business." 

—JULIE  GIERA,  FORRESTER  RESEARCH 


It  shows  clearly  what  you're  getting  for  your  money. 

"Microsoft  has  added  valuable  options  to  SA,  and 
provided  a  long-term  path  for  where  customers  are 


going  to  spend  their  money  and  what  they're  going  to 
get  for  it.  This  kind  of  stability  makes  it  easier  for 
customers  to  make  a  long-term  commitment  to 
Microsoft  and  to  justify  the  financial  decision." 

—  STEVE  MCHALE,  IDC 

Olts  benefits  extend  beyond  IS.  "The  changes  are  tan¬ 
gibly  more  economical  and  provide  immediate  busi¬ 
ness  value.  I  estimate  that  very  large  enterprises  can 
save  hundreds  of  thousands  and  even  millions  of  dol¬ 
lars  with  SA." 

—  LAURA  DIDIO,  YANKEE  GROUP 


It's  a  step  in  the  right  direction  for  Microsoft  and  its 
customers.  "It's  impossible  to  go  forward  and  say 
that  there's  anything  really  bad  about  the  changes  to 
the  SA  program." 

— AL  GILLEN,  IDC 


S3 


CIO  ADVERTISING  SUPPLEMENT 


most  valuable,”  he  says.  “The  CIO  may  not  have 
to  spend  as  much  on  support  as  they  have  in  the 
past  if  they  can  use  this  support  to  offset  other 
costs.” 

Another  feature  is  Extended  Lifecycle  Hotfix 

support  for 

the  essential  elements  of  Software  Assurance 

microsoft  software  assurance  customers,  which 


extends  support  for 


eLearning 
Training  Vouchers 


up  to  two  years  on 
software  versions 
that  are  generally  no 
longer  supported  by  Microsoft.  “It  gives  me  a  lit¬ 
tle  more  leeway  on  when  I  want  to  do  things,” 
says  Sleepeck’s  Brunner.  “Eve  got  more  control, 
so  I’m  not  under  the  gun.” 

There’s  also  the  Windows  Pre-installation 
Environment  tool  (WinPE),  which  lets  IT  work¬ 
ers  copy  OS  and  pre-install  the  Microsoft 
Windows®  desktop  operating  system  onto  their 
machines.  “It  will  remotely  install  and  configure 
on  something  that  doesn’t  have  the  operating 
system,”  says  IDC’s  Gillen.  “It’s  useful  for  large 
scale  rollouts.” 

Software  Assurance  also  includes  Corporate 
Error  Reporting,  which  allows  IT  departments  to 
track  the  error  reports  generated  by  Microsoft 
Windows  XP.  “It  could  help  them  figure  out 
what  applications  are  blowing  up,”  says  Gillen. 
“That’s  a  pretty  cool  tool  to  have.” 

“All  these  benefits  come  down  to  an  issue  of 
time — they  offer  the  ability  to  save  time  or  do 
things  on  flex  time,”  says  Bell’s  McGrath.  “The 
bottom  line  is  that  companies  that  take  advan¬ 
tage  of  them  can  become  more  productive.  ” 


Training 

Training  is  often  one  of  the  first  items  to  be  cut 
from  IT  budgets.  By  adding  benefits  such  as 
eLearning  and  third-party  training  vouchers  for 
IT  personnel  to  Software  Assurance,  Microsoft  is 
helping  companies  make  their  technology  dollars 
work  harder.  The  end  result:  CIOs  can  help  their 
companies  get  the  job  done  smarter.  For  exam¬ 
ple,  Steven  Edwards,  vice  president  and  IT  direc¬ 
tor  of  Solomon  Cordwell  Buenz  &  Associates, 
Inc.,  an  architectural  company  in  Chicago,  found 


the  eLearning  option  very  appealing  because  it 
allows  users  to  get  advanced  training  on  Micro¬ 
soft  software  via  the  web,  at  a  schedule  they  set 
for  themselves.  “When  we  have  to  spend  money 
on  advanced  training,  it’s  for  software  such  as 
CAD,”  Edwards  says.  “So,  eLearning  helps  com¬ 
panies  like  mine  that  can’t  afford  a  large  training 
budget.  Now  our  employees  have  no  excuse  not 
to  learn.” 

“Microsoft  has  more  experience  than  my  shop 
does,  and  can  provide  great  convenience  as 
well,”  agrees  Brunner.  “This  lets  people  learn 
at  their  own  pace  and  time.” 

Third-party  training  vouchers,  which  CIOs  can 
use  to  provide  formal  IT  training  at  Microsoft 
Certified  Technical  Education  Centers,  also  have 
an  easily  quantifiable  value,  says  IDC’s  Gillen. 

Conclusion 

In  the  end,  the  responsibility  for  IT  value  sits 
squarely  on  the  CIO’s  shoulders.  If  CIOs  are  to 
clearly  articulate  the  value  of  IT  to  boardroom- 
level  executives,  they  must  decide  which  technol¬ 
ogy  and  services  represent  the  most  value  for  the 
dollar.  Software  Assurance,  with  its  ability  to 
beef  up  employee  skills  through  training  and 
provide  built-in  incentives  to  employees,  can 
prove  a  key  support  in  that  ongoing  struggle.  By 
boosting  end-user  activity,  productivity  and 
morale,  Microsoft’s  Software  Assurance  for  vol¬ 
ume  licensing  can  help  build  a  happier,  more 
productive  company. 


For  More  Information  on 
Software  Assurance 

To  learn  more  about  the  enhancements 
to  Microsoft's  Software  Assurance  for 
volume  licensing  programs,  go  to 
www.microsoft.com/licensing 
or  contact  your  Microsoft  Account 
Manager  or  Preferred  Reseller 


v'stmtm 


Effective 


YOU  NEED  TO  GET  SMART.  FAST 


Do  you  know  which  skills  you  should  develop  for  successful 
leadership?  Are  you  politically  savvy  enough  to  know 
when  to  take  risks  and  when  to  be  tough?  Turn  to  the 

CIO  FOCUS™  on  TRUE  LEADERSHIP:  DEVELOPING  AND 
LEVERAGING  THE  SKILLS  TO  CAPTAIN  I.T.-actionable 
information  created,  filtered  and  packaged  by  the  award¬ 
winning  editors  of  CIO  magazine. 


CIO  FOCUS™  is  delivered  right  to  your  desktop,  giving  you 
immediate  access  to  the  information  you  need.  And  for  your 
future  reference  needs,  the  electronic  file  is  followed  by  a 
packaged  version,  shipped  within  72  hours.  Available  now  at 
an  introductory  price. 


CIO  FOCUS™ 

STRATEGIC  GUIDES  FOR  EXECUTIVE  DECISION  MAKING 


CIO  FOCUS1 


Offshore  Outsourcing:  Navigating 
the  Opportunities  and  Risks 

IT  Cost  Control:  Smarter  Spending 
Strategies  for  Tight  Times 

Knowledge  Management:  Harnessing 
the  Power  of  Intellectual  Assets 


How  to  Retain  IT  Staff  in  Boom 
Times  and  Bad 


The  Resource 
for  Information 
Executives 


EXECUTIVE  DECISION-SUPPORT  TOOLS,  VISIT  THE  CIO  STORE— THE  CIO’S  KNOWLEDGE  MARKETPLACE 

www.TheCIOStore.com  til 


Career  Counsel 


them  does  his  job,  they  win.  The  new  IT  team  requires  non¬ 
technical  yet  specialized  skills  to  accomplish  its  goals. 

-G.M. 


you  have  made  a  contact  that  may  result  in  something  positive 
down  the  road. 

-G.M. 


PICK  ME,  PICK  ME 

Q:  Since  many  IT  people  are  looking  for  work  these  days, 
companies  have  an  ample  supply  of  candidates.  How  does 
one  stand  out  above  all  others  to  get  noticed  during  the  sub¬ 
mission  process? 

A:  Without  question,  we  are  in  a  somewhat  unusual  time  as 
there  have  been  sizable  layoffs  and  many  highly  qualified 


You  need  to  find  out  who  is  managing  the  process 
and  set  your  credentials  in  front  of  him. 


people  looking  for  work.  To  begin  with,  the  stigma  of  being 
unemployed  is  not  what  it  used  to  be.  If  your  unemployment 
is  the  result  of  a  massive  reduction  in  force,  most  prospec¬ 
tive  employers  will  not  hold  it  against  you. 

To  “get  noticed”  during  the  submission  process  requires  you 
to  distinguish  yourself  above  and  beyond  others.  First,  be  realis¬ 
tic.  For  those  positions  that  you  are  qualified  for  and  have  a  high 
level  of  interest,  you  need  to  take  initiative.  Be  aggressive  but 
temper  this  with  good  judgment.  Find  out  everything  you  can 
about  the  opportunity,  and  recognize  that  there  are  several  objec¬ 
tives.  The  primary  objective  is  to  be  selected  for  the  interview 
phase  of  the  recruitment  process.  The  process  for  selecting  can¬ 
didates  is  different  from  company  to  company.  You  need  to  find 
out  who  is  managing  the  process  and  get  your  credentials  in 
front  of  him.  Try  to  have  a  live  phone  conversation  with  this 
individual,  and  discover  as  much  as  you  can  about  the  position 
and  the  type  of  individual  the  company  is  seeking.  If  you  are  still 
keen  on  the  position,  ask  for  an  interview  highlighting  why  you 
believe  you  are  match  for  the  opening. 

Follow  up  your  phone  conversation  with  a  thank  you  note 
and  a  fresh  copy  of  your  resume.  Customize  the  cover  letter  to 
indicate  why  you  remain  convinced  you  have  the  skills  for  the 
position.  Meanwhile,  conduct  as  much  research  as  possible  on 
the  company,  industry  and  its  competitors.  Do  you  know  any¬ 
one  at  the  company  who  might  provide  any  insight  on  what 
life  is  like  as  an  employee?  In  general,  be  as  upbeat,  creative 

and  eager  as  possible  with- 


Have  a  Career  Question? 


Visit  the  online  CAREER  COUNSELOR  at 

www.cio.com/counselor  to  ask  our  experts 
your  questions  and  browse  their  answers. 

cio.com 


out  being  disingenuous.  Be 
yourself  and  make  a  posi¬ 
tive  impression.  You  may 
or  may  not  get  the  inter¬ 
view,  but  at  the  very  least 


THE  INTERNATIONAL  SCENE 

Q:  I  am  a  director-level  IT  executive  who  has  worked  globally 
and  managed  a  multinational  organization  for  a  conglomer¬ 
ate.  I  recently  returned  to  the  United  States  where  I  am  an  IT 
director  driving  business  transformation  for  the  CEO  and  CIO. 
However,  I  really  want  to  get  back  overseas— working  and 
leading  in  a  multinational  environment  again.  Who  could  I 
work  with  to  get  back  on  the  interna¬ 
tional  track? 

A:  To  find  a  position  overseas,  you  need 
to  start  networking  with  people  you 
know  who  are  in  a  position  of  influ¬ 
ence.  You  should  also  target  a  number 
of  companies  that  interest  you  and  do 
some  homework  to  find  out  their  needs  overseas.  Join  a  few 
professional  IT  associations,  such  as  the  Society  for  Infor¬ 
mation  Management,  where  CIOs  and  their  direct  reports 
get  together  on  a  regular  basis  for  professional  development 
and  networking.  Also,  you  should  contact  some  good  exec¬ 
utive  recruiters  who  have  multinational  clients  and  be  sure 
they  know  you.  Have  a  very  clear  and  well-developed 
resume  that  speaks  to  your  skills  and  accomplishments  that 
you  can  send  to  people. 

-B.L. 

INSIDE  JOB 

Q:  I  have  been  with  my  company  for  15  years  but  have  not  been 
able  to  break  into  the  top  layer  of  IT  management.  While  I  am 
regarded  as  a  senior  manager,  I’m  still  waiting  on  a  promotion 
to  that  grade  level.  I  have  led  major  projects  and  managed 
departments  successfully,  reported  to  and  gotten  good  reviews 
from  several  members  of  the  top  management  team,  and  have 
assisted  the  senior  team,  including  the  CIO,  with  strategic 
planning  and  executive-level  presentations.  I  enjoy  my  work 
but  don’t  feel  appropriately  recognized  or  rewarded,  and  I  am 
continually  frustrated  by  my  failure  to  make  it  to  that  top  level. 
I’m  55  and  have  a  lot  invested  here,  so  I’m  hesitant  to  leave. 
However,  should  I  realistically  be  considering  a  move? 

A:  Given  the  facts  as  you  have  presented  them,  there  seems 
to  be  something  in  your  way,  some  obstacle  that  is  prevent¬ 
ing  you  from  reaching  that  position  you  covet  in  the  ranks  of 
“the  top  layer”  of  IT  management.  Your  first  consideration 
is  whether  there  have  been  others  who  have  been  internally 
promoted  from  your  level  to  the  top  echelon,  or  any  out¬ 
siders  brought  in  at  the  upper  ranks.  If  neither  of  those  has 
occurred,  you  may  be  in  a  situation  that  for  whatever  reason 


130  CIO  OCTOBER  15,  2003  •  www.cio.com 


Does  Your  JCL  Environment  Need  a  Tune-Up? 


VACUUM 


Optimize  Performance 


When  performance  matters, 
expertise  makes  the  difference 


A  high-performance  engine  requires  routine  maintenance 
and  tune-ups  to  run  efficiently.  IT  organizations  striving  for 
high-performance  operations  need  to  ensure  that  their  JCL 
environment  is  also  tuned  up  for  optimal  performance. 

Of  course  data  centers  are  more  complex  than  a  car  engine,  and 
to  begin  a  JCL  "tune-up"  project,  you  have  to  justify  the  benefits  and 
results  up  front.  Since  1978,  Diversified  Software  has  been  developing 
the  JCL  technology  and  expertise  to  help  leverage  your  internal 
resources  to  achieve  a  more  cost-effective  data  center. 

With  the  demands  of  mission-critical  operations,  wouldn't  life  be 
easier  with  a  proven  partner? 

To  receive  the  article,  "The  Value  of  a  Cost-Effective  JCL  Environment", 
or  to  request  a  meeting  with  one  of  our  consultants  to  discuss 
a  JCL  tune-up,  visit  www.diversifiedsoftware.com/operations 


Diversified 

Software 


1 8635  Sutter  Blvd. 
Morgan  Hill,  CA  95037 
Phone:  1 -408-778-9914 


©  2003  Diversified  Software  Systems,  Inc.  All  Rights  Reserved 


Career  Counsel 


simply  does  not  offer  the  growth  potential  you  seek.  Possi¬ 
ble  reasons  might  include  very  low  management  turnover, 
shrinking  IT  funding  and  poor  performance  of  the  enter¬ 
prise.  In  any  of  these  cases,  I  recommend  you  consider  exter¬ 
nal  options  that  would  either  get  you  to  the  next  level 
directly  or  a  lateral  move  that  would  position  you  for 
upward  movement  in  a  high-growth  environment. 

Alternatively,  if  you  have  truly  been  bypassed  for  promo¬ 
tion,  your  next  move  is  a  serious  sit-down  with  your  boss — 
preferably  away  from  the  office,  over  lunch  or  dinner 
perhaps — for  a  heart-to-heart  discussion  of  the  reasons  behind 
the  lack  of  recognition.  You  must  be  prepared  to  hear  what 


Consider  options  that  would  either  get  you  to 
the  next  level  directly  or  position  you  for  upward 
movement  in  a  high-growth  environment. 


or  measurement  of  anticipated  financial  impact,  for  each 
proposed  undertaking.  Then  rank-order  the  list  of  projects 
that  the  business  leaders — not  you — endorse  and  are  willing 
to  present  to  senior  management  as  their  own.  Without  that 
business  alignment  and  buy-in,  you  won’t  succeed.  With 
their  support  and  their  credibility  on  the  line,  your  business 
peers  will  fight  with  you  for  funding  and  collaborate  with 
you  on  each  project’s  success  and  ultimately  yours  too. 
Additionally,  present  worthwhile  infrastructure  projects  as 
your  own,  each  with  a  fully  developed  business  case  as  well. 
Then  it’s  up  to  senior  managers  to  determine  how  far  down 
the  list  they  wish  to  approve  and  fund  based  on  their 
appetite  for  cumulative  IT  investment, 
and  the  balance  of  priorities  between  IT 
projects  and  other  requests  for  capital 
expenditures.  -M.P. 


you  may  not  want  to  hear  and  to  listen  carefully  rather  than 
react  on  the  spot.  Afterward,  be  brutally  honest  with  yourself 
and  judge  if  this  is  fair  and  accurate  feedback.  If  so,  seek  out 
developmental  assistance  to  overcoming  these  weaker  areas  in 
your  skill  set  or  experience.  If,  on  the  other  hand,  you  sincerely 
disagree  with  the  assessment  you  received,  get  a  second  opin¬ 
ion.  If  you  are  still  skeptical,  put  together  and  present  a  thought¬ 
ful  and  constructive  response  to  the  CIO.  If  all  this  fails,  then 
it’s  time  to  craft  and  execute  your  job  search  strategy. 

-Mark  Polansky,  Managing  Director  and  Member 
of  the  Advanced  Technology  Practice 
at  Korn/Ferry  International 

PICK  MY  MISSION 

Q:  I  am  the  first  CIO  at  a  small  industrial  equipment  company. 
My  previous  six  years  of  experience  was  as  a  CRM  and  sales- 
force  automation  consultant.  I  have  looked  over  where  we  are 
technologically,  and  based  on  our  business  plan  have  started 
plotting  a  direction  by  dividing  projects.  I  plan  to  present  this 
to  senior  management  in  a  cafeteria-type  model  in  which  sen¬ 
ior  management  could  pick  and  choose  what  they  see  as 
important.  Any  critical  infrastructure  changes  will  be  included, 
but  not  optional.  Do  you  feel  this  is  a  good  approach? 

A:  Your  query  is  more  about  the  successful  execution  of 
your  mission  and  your  performance  as  a  CIO  than  it  is  a 
career  strategy  question.  That  said,  you  should  definitely 
not  give  senior  management  a  smorgasbord  of  IT  projects  to 
pick  and  choose  from.  Instead,  work  with  an  executive 
sponsor  from  the  business  side  of  the  company  for  each 
project  and  build  a  business  case,  which  must  include  ROI 

132  CIO  OCTOBER  15,  2003  •  www.cio.com 


OPTION  A  ORB? 

Q:  I  have  been  the  MIS  director  (the  top 

IT  position)  for  a  law  firm  for  six  years.  I 
have  two  job  offers  on  the  table.  Job  No.  1  is  a  second-in-com¬ 
mand  to  the  CTO  (top  IT  position)  of  a  midsize,  not-for-profit 
credit  union,  with  three  direct  reports  and  11  indirect  reports. 
This  new  job  has  no  strategic  management  responsibilities. 
Job  No.  2  is  at  a  midsize  manufacturing  subsidiary  of  a  large 
international  organization.  It  is  the  lead  IT  position  for  one 
plant,  with  direct  reports.  Less  money,  but  I  don’t  have  to 
move.  Which  job  is  better  for  my  long-term  career  goal  of 
attaining  a  CIO  position  in  either  the  financial  or  manufactur¬ 
ing  industry? 

A:  The  answer  is  C,  “none  of  the  above.”  As  you  have 
already  held  a  top  IT  position,  the  second-in-command 
opportunity  at  a  credit  union  is  a  step  backward  by  taking 
you  away  from  the  business  strategy  proposition.  Job  No.  2 
takes  you  away  from  the  strategic,  value-add  contribution 
potential  of  a  CIO  role  and  puts  you  in  an  “outpost”  situa¬ 
tion,  which  will  eventually  necessitate  a  relocation  for 
advancement.  It  too  has  little  to  recommend  it. 

If  you  are  excited  about  the  legal  field,  make  up  a  list  of  the 
top  firms  in  your  area  and  contact  each  one  proactively.  Oth¬ 
erwise,  I  recommend  that  you  continue  to  evaluate  opportuni¬ 
ties  (the  easy  ones  came  quickly)  and  be  selectively  looking  for 
top  IT  roles  in  small  and  midsize  organizations  that  offer  an 
opportunity  to  broaden  your  scope  and  scale  of  responsibility, 
or  a  first-  or  middle-tier  position  at  a  larger  enterprise  in  which 
you  can  expand  the  range  and  depth  of  your  IT  experience 
and  business  knowledge.  -M.P  QE1 

The  Web-based  Executive  Career  Counsel  column  is  edited  by  Director 
of  Online  Research  Kathleen  Kotwica  ( kkotwica@cio.com ). 


( *  MILEAOfc, 
KEO  &  TESTED 


1 


The  Course  Runs  Front 

27th  OCTOBER  -  14TH  DECEMBER 


CONTAf*T  nrPr/*/l*  wl 


If 


•9 


Call  Steve 
on  Ext  921 


TO  Acc««j 


l  ■ 


..  ...  *  '*  3  ffctt 

1  Sr"'  ♦**  «  •*>  «  . 

-V* 


'"*  *MM#*  U  f  *. _ 

***  *'•*  »*  iISfi  5, 


'  v  V 

W  Owy 
A"*‘i**m  **3  ,1  fa 

5:*  5317 


'*r*o*i 


WENT  FOR  RENT 


J)£uM  KiT  fofi.SAL£ 


CALL  S'CsJMy  EKTiSl 


Tel:  031  £035/2.<|- 

C£a:  0^713(994.(2 
031^03  5(25 

O-nwii  :J«An/j(®.i«fef/to.ccjm 


Activity  Schedule  June  1st  -  September  30th 


ersntp  Rates: 


Annual  Subscription: 
Subscription  paid  Monthly: 
Joining  Fee: 

Guest  Fee: 

Members  may  bring  the  same  guest  i 

Opening  Times: 


Monday  to  Friday: 
Saturday  and  Sunday: 


Members  are  entitled  to  unfcmned  use  ot 
services  and  specialist  courses.  Facrtt*- 


TCAOIlcn  t 


PILAT 


^drobeCOre 

FREE  'P|ck 

fek“Up  a  D8Hv 

4‘Hr-  8«rvica 


Ne»  location  - 


Mew  fa 


30 


1  ‘ence 


There  are  already  successful  multi-channel 
integration  systems  at  work  in  your  organization. 


With  all  these  points  of  contact,  this  employee  has  increased  her  chances  of  making  a  sale.  It  may  seem  basic,  but  that’s  where  a  decent 
CRM  Programme  starts  -  maximising  your  client  contact  channels.  BT  offers  a  range  of  innovative  CRM  solutions  such  as  outsourced 
contact  centres,  making  sure  that  the  right  information  reaches  the  right  person  at  the  right  time  -  bringing  together  all  your 
customer  information  in  harmony.  Because  we  all  know  that  in  business,  communication  is  everything.  To  find  out  how  your  business 
communications  could  run  like  your  human  communications,  contact  us  on  1-800-331  4568  or  www.bt.com/globalservices 


www.bt.com/globalservices 


BT**% 


/ 


✓  TV 


ttaayy^-. 


Fine  Print 

What  You  Don’t  Know  Can  Hurt  You 


The  Copyright 

Cuffs 


Why  we  should  care  who  gets  the  merchandising  deal 
from  a  movie  or  the  songtie-in  on  a  variety  show 


BY  JONATHAN  ZITTRAIN 


A  COUPLE  OF  YEARS  AGO  I  was  talking  with  a  law  school  colleague 
about  cyberlaw  and  the  people  who  study  it.  “I’ve  always  won¬ 
dered,”  he  said,  “why  all  the  cyberprofs  hate  copyright.” 

I  don’t  actually  hate  copyright,  and  yet  I  knew  just  what  he 
meant.  Almost  all  those  who  self-identify  as  cyberspace  law 
scholars  agree  that  copyright  law  is  a  big  mess.  So  far  as  I  can 
tell,  federal  courts  experts  don’t  reject  or  loathe  our  system  of 
federal  courts,  and  criminal  law  experts  split  every  which  way 
on  the  overall  virtue  of  the  criminal  justice  system.  So  what’s 
with  cyberprofs’  uniform  discontent  about  copyright? 

I  think  an  answer  can  be  gleaned  from  the  tax  scholars. 
Without  decrying  the  concept  of  taxation,  every  tax  professor 
I’ve  met  regards  the  U.S.  tax  code  with  a  kind  of  benign  con¬ 
tempt,  explaining  it  more  often  as  a  product  of  diverse  interests 
shaped  from  the  bottom  up  than  as  an  elegant  set  of  rules 
crafted  by  legal  artisans  to  align  with  high-level  principles  about 
the  most  just  way  to  redistribute  resources  or  to  maximize 
social  welfare. 

Copyright  is  like  that  too,  and  while  I  hate  its  Platonic  form 
no  more  than  the  typical  tax  maven  hates  tax ,  I  find  myself 


struggling  to  maintain  the  benign  part  of  my  contempt  for  its 
ever-expanding  21st-century  American  incarnation.  A  gerry¬ 
mandered  tax  code  primarily  costs  the  public  money — meas¬ 
ured  by  overall  inefficiency  or  extra  taxes  unfairly  levied  on 
those  without  political  capital.  But  copyright’s  expanding  cost 
is  measured  by  a  more  important,  if  inchoate,  currency  of 
thoughts  and  ideas. 

The  Law  and  the  Reality:  From  TVs  in  Restaurants 
to  Woody  Allen  Quotes 

We  live  today  under  two  copyright  regimes — the  law  on  one 
hand  and  reality  as  experienced  and  practiced  by  the  public 
on  the  other.  These  regimes’  orthodoxies  have  become  increas¬ 
ingly  divergent,  but  until  recently  they  governed  completely 
discrete  spheres. 

The  U.S.  legal  regime  is  found  within  Title  17  of  the  federal 


13  4  CIO  OCTOBER  15,  2003 


www.cio.com 


ILLUSTRATION  BY  PETER  HOEY  C/O  THEISPOT.COM  ©2003 


These  days,  you  are  your  information.  And  having  information  that's  less  than  accurate  is  simply  no  longer 
acceptable.  Yet  with  incompatible  data  sources  and  volume  multiplying,  how  can  you  possibly  bring  all  of 
your  data  together  and  come  up  with  a  timely  and  relevant  assessment  of  your  business  you  can  trust?  The 
answer  is  Informatica®  We  can  transform  your  disparate  enterprise  data — re¬ 
gardless  of  source  or  application — into  a  single,  manageable,  and  scalable 
resource  that  delivers  business  insight  that  is  easy  to  use,  reliable  and  auditable. 

To  learn  why  over  80%  of  the  Fortune  100  have  turned  to  our  unified  data  integration  and  business  intel¬ 
ligence  solution,  just  call  800-970-11 79,  or  visit  us  online  at  www.informatica.com.  Because  if  you're  only  as 

good  as  your  data,  this  is  how  to  always  be  at  your  very  best. 

©  2003  Informatica  Corporation.  All  rights  reserved.  Informatica,  the  Informatica  logo,  and  "Turning  integration  into  insight’  are  trademarks  or  registered 
trademarks  of  Informatica  Corporation. 


www.informatica.com 


ilMFORMATiCA 

Turning  integration  into  insight  " 


Fine  Print 


code.  It  proscribes  such  acts  as  the  public  performance  of  music 
without  payment  to  the  composer,  or  the  copying  of  books 
without  the  permission  of  the  author  (or  more  likely  the  com¬ 
pany  to  whom  the  author  long  ago  assigned  rights). 

The  limits  on  behavior  enumerated  in  the  first  regime  have 
gone  far  beyond  the  wholesale  copying  of  books,  maps  and 
charts  covered  by  the  first  copyright  act  of  1790.  They  now 
extend  to  computer  software,  dances,  boat  hulls  (delineated  in 
a  1998  amendment  as  “the  frame  or  body  of  a  vessel  including 
the  deck,  but  not  the  rigging”)  and  music  (Congress  covered 
performances  in  1909,  and  copies  of  sound  recordings  in  1971). 
What  the  public  can  and  can’t  do  is  now  described  at  a  dizzy¬ 


Title  17’s  limits  on  behavior  now  extend  to 
computer  software,  dances,  boat  hulls  (the  frame 
and  the  deck,  not  the  rigging)  and  music. 


ing  level  of  detail  worthy  of  the  most  byzantine  tax  code. 

For  example,  bars  and  restaurants  that  measure  no  more 
than  3,750  square  feet  (not  including  the  parking  lot,  so  long 
as  the  parking  lot  is  used  exclusively  for  parking  purposes)  can 
contain  no  more  than  four  TVs  of  no  more  than  55  inches 
diagonally  for  their  patrons  to  watch,  so  long  as  there  is  only 
one  TV  per  room.  The  radio  can  be  played  through  no  more 
than  six  loudspeakers,  with  a  limit  of  four  per  room.  That  is, 
unless  the  restaurant  in  question  is  run  by  “a  governmental 
body  or  a  nonprofit  agricultural  or  horticultural  organization, 
in  the  course  of  an  annual  agricultural  or  horticultural  fair  or 
exhibition  conducted  by  such  body  or  organization.”  Then  it’s 
OK  to  use  more  speakers. 

This  astonishingly  elaborate  and  expansive  copyright  regime 
isn’t  fed  only  by  statutes,  of  course.  Judges’  interpretations 
account  for  much  of  its  reach.  The  notion  of  “contributory” 
copyright  infringement — in  essence,  aiding  and  abetting  copy¬ 
cats — is  entirely  judge-made.  In  conjunction  with  a  statutory 
limit  on  creating  not  just  copies  but  “derivative”  works  of  a 
copyrighted  original,  a  theory  of  contributory  infringement  led 
two  courts  to  outlaw  the  production  by  third  parties  of  cassette 
programs  designed  to  be  inserted  into  the  belly  of  Teddy  Rux- 
pin  talking  stuffed  animals.  The  idea  was  that  by  pushing  the 
play  button  when  a  non-Teddy  Ruxpin  story  tape  was  inside 
the  creature,  children  would  be  creating  a  contraband  deriva¬ 
tive  “audiovisual  work  comprising  animated  plush  toy  bear 
with  unique  voice.”  Since  toddlers  are  largely  unsusceptible  to 
cease-and-desist  letters,  it  fell  to  the  cassette  manufacturers  to 
stop  providing  the  ready  means  for  the  kids’  illegal  behavior. 

For  all  of  its  detail,  however,  Title  17  remains  stubbornly 


vague,  recalling  Woody  Allen’s  indictment  of  a  bad  restaurant: 
“The  food  at  this  place  is  really  terrible.. .and  such  small  por¬ 
tions.”  Including  Woody  Allen’s  quotation  here  is  probably  fair 
use,  so  it’s  OK  to  repeat  it  without  his  permission — but  we’d 
have  to  risk  a  lawsuit  to  be  sure.  No  wonder  most  publishers 
proceed  as  if  fair  use  doesn’t  exist  at  all,  asking  permission  to 
use  every  quote — or  failing  that,  doing  without. 

Title  17’s  copious  yet  unfulfilling  amount  of  detail  used  to 
trouble  only  professional  (re)publishers  and  their  lawyers.  Title 
17’s  reach  has  tended,  as  a  practical  matter,  to  leave  individu¬ 
als  unaffected.  The  examples  above  might  make  for  cocktail 
party  curiosities,  but  whatever  their  indirect  public  effects— a 

craned  neck  as  a  result  of  trying  to  watch 
the  sole  television  in  a  large  barroom,  or 
a  child  deprived  of  the  full  potential 
range  of  Teddy  Ruxpin  stories — they 
don’t  directly  constrain  individual  behav¬ 
ior,  which  has  been  de  facto  governed  by 
a  second  regime  of  reasonable  practice. 

The  public  has  instinctively  cabined 
its  potentially  copyright-infringing  urges  not  through  knowledge 
of  the  law  but  thanks  to  the  combined  weight  of  conscience  and 
convenience.  It’s  a  hassle  to  photocopy  a  book  cover  to  cover, 
so  most  of  us  don’t  bother  to  do  it,  and  those  who  do  are  pos¬ 
sibly  such  cheapskates  that  they  wouldn’t  buy  the  original  to 
begin  with.  (Kinko’s — well  aware  of  and  effectively  regulated  by 
Title  17  after  losing  hundreds  of  thousands  of  dollars  in  a  1991 
lawsuit  brought  by  publishers  over  a  dozen  course  packs  involv¬ 
ing  copies  of  book  chapters — won’t  do  it  on  someone  else’s 
behalf,  for  fear  of  contributory  copyright  infringement  liability.) 
Still  others  might  actually  think  it  wrong  to  make  wholesale 
copies  even  if  it’s  easy.  They  might  choose  to  copy  only  a  few 
pages,  or  to  simply  buy  the  whole  work. 

As  Title  17  has  expanded,  the  corporate  and  individual 
regimes  have  diverged  further  and  further,  at  odds  but  not  in 
friction.  The  former  is  subject  to  increasing  numbers  of  excep¬ 
tions,  counter-exceptions,  contractual  agreements  and  licenses 
among  lawyers.  The  latter  bumps  along  simplistically,  limited 
by  the  amount  of  copying  anyone  could  or  would  do  as  a  prac¬ 
tical  matter.  Those  technically  illegal  activities  thus  escape  the 
attention  of  publishers. 

Where  the  Copyright  Rubber  Meets  the 
Road  to  Court 

When  points  of  friction  have  threatened,  the  publishers  have 
taken  quick  action,  ferociously  fighting  against  any  perceived 
legal  or  practical  encroachment  on  copyright’s  rights  and  the 
cash  flows  associated  with  it.  Recall  the  reaction  of  the  Motion 
Picture  Association  of  America  (MPAA)  to  the  prospect  of  a 
VCR.  “The  VCR  is  to  the  movie  industry  what  the  Boston 


13  6  CIO  OCTOBER  15,  2003 


www.cio.com 


Coach 


-  o^y  le 

CtP-T  \fi 

^  -  T(U  p  To  jf 

£t  M3AC0<, 


S&C'Jfc'TJ 

SET 5  OOU 


Security  is  the  last  thing  on  this  Chief  Security  Officer’s  mind.  That’s  because  it’s 
the  first  thing  on  ours.  Armed  with  real-time  information  and  response  capabilities 
from  VeriSign’s  Security  Intelligence  and  Control”  Services,  he  can  now  take  the 
initiative.  Play  offense,  rather  than  defense.  Focus  on  the  kinds  of  projects  that  will 
keep  his  Fortune  500  publishing  company  competitive,  like  establishing  a  global 
VPN.  And  reducing  operating  costs.  Now  he  can  think  freely.  At  least  until  an 
editor  calls,  wanting  to  stop  the  presses. 


To  learn  more  about  VeriSign's  new  Security  Intelligence  and  Control  “Services,  visit  www.verisign.com 


The  Value  of  TrustSM 


©  2003  VeriSign,  Inc.  All  rights  reserved.  VeriSign,  the  VeriSign  logo,  Security  Sets  You  Free,  Security  Intelligence  and  Control,  and  other  trademarks,  service  marks,  and  logos  are  registered  or 
unregistered  trademarks  of  VeriSign  and  its  subsidiaries  in  the  United  States  and  in  foreign  countries. 


Fine  Print 


Strangler  was  to  a  woman  alone,”  warned  Jack  Valenti,  then 
(and  still)  president  of  the  powerful  group.  In  the  now-famed 
Sony  case  of  1984,  the  U.S.  Supreme  Court  held  in  a  5-4  deci¬ 
sion  that  the  VCR  was  not  an  illegal  instrument  of  contributory 
copyright  infringement.  Valenti  to  this  day  rues  the  loss  of  the 
MPAA’s  position  despite  the  comparatively  staggering  revenue 
gleaned  from  video  rentals  ever  since.  He  says  that  the  MPAA 


didn’t  want  to  impede  the  VCR’s  deployment;  it  simply  wanted 
to  be  able,  through  a  favorable  ruling,  to  withhold  permission 
for  sale  of  the  technology  until  manufacturers  agreed  to  a  per- 
unit  fee  on  VCRs  and  blank  videocassettes  that  would  be  remit¬ 
ted  to  the  publishers. 

When  digital  audiotape  recorders  (DATs)  threatened  to 
enable  individuals  to  make  perfect  copies  of  CDs,  and  copies  of 
those  copies,  the  music  publishers  prodded  Congress  into  pass¬ 
ing  the  Audio  Home  Recording  Act  of  1994,  which  required 
producers  of  DATs  to  incorporate  the  Serial  Copy  Manage¬ 
ment  System  (SCMS)  in  its  products.  The  SCMS  is  defined 
nowhere  in  a  statute  that  goes  to  the  trouble  of  defining  such 
words  as  children  and  parking  lots.  As  implemented,  it  pre¬ 
vents  a  DAT  from  making  a  copy  of  a  copy  if  the  copy  is  dig¬ 
itally  labeled  “Do  not  copy  me.” 

Taking  a  lesson  from  the  loss  in  the  VCR  case,  MPAA  lob¬ 
byists  fought  for  and  won  provisions  for  a  tax  on  the  produc¬ 
ers  of  digital  recorders  and  blank  digital  tapes.  The  tax  revenue 
does  not  go  to  the  government;  it  is  remitted  to  publishers 
according  to  a  scheme  that  demonstrates  just  how  many  par¬ 
ties  wanted  a  slice  of  the  pie.  Title  17  now  contains  such  gems 
as  “2  5/8  percent  of  the  royalty  payments  allocated  to  the 
Sound  Recordings  Fund  shall  be  placed  in  an  escrow  account 
managed  by  an  independent  administrator  jointly  appointed 
by  the  interested  copyright  parties  described  in  section 
1001(7)(A)  and  the  American  Federation  of  Musicians  (or  any 
successor  entity)  to  be  distributed  to  nonfeatured  musicians 
(whether  or  not  members  of  the  American  Federation  of  Musi¬ 
cians  or  any  successor  entity)  who  have  performed  on  sound 
recordings  distributed  in  the  United  States.” 

Unsurprisingly,  as  a  result  of  the  law,  DAT  players  were  still¬ 
born,  so  there  were  few  spoils  to  split,  which  was  no  doubt  a 


perfectly  acceptable  outcome  to  the  publishers. 

With  the  advent  of  the  DVD  player,  manufacturers  and  pub¬ 
lishers  came  together  to  create  a  nonprofit  association  that  would 
control  a  “secret  recipe”  for  decoding  DVDs.  Anyone  who 
wanted  to  make  a  DVD  player  had  to  obtain  the  association’s 
recipe.  It  was  given  only  in  exchange  for  a  promise  that  the  DVD 
player  would  have  certain  copy  protections  in  place — such  as 
conveying  a  signal  that  would  jam  a  VCR 
trying  to  record  a  DVD — and  that  the 
player  would  incorporate  “regional  cod¬ 
ing,”  by  which  different  continents  would 
have  different  players,  and  the  DVDs  from 
one  wouldn’t  function  in  the  players  from 
another.  This  enabled  DVDs  to  be  released 
in  different  regions  at  different  times  and 
ensured  that  those  licensed  to  sell  DVDs 
in  one  region  wouldn’t  have  to  worry 
about  having  their  prices  undercut  by  sell¬ 
ers  exclusively  licensed  to  sell  in  other  regions. 

Enter  the  800-Pound  Test:  The  Internet 

Then  came  the  Net  and  the  all-purpose  computers  attached  to 
it.  With  the  right  software,  individuals  could  copy  digital  con¬ 
tent  at  arm’s  length  from  one  another,  perfectly,  quickly  and 
cheaply — and  the  presence  of  a  copyright  symbol  did  little  to 
deter  them  from  doing  so. 

In  theory,  of  course,  Title  17  applies  to  everyone.  I  believe 
that  the  vast  majority  of  uses  of  Napster  represented  indefensi¬ 
ble  infringements  of  copyright.  Even  the  Sony  case  of  1984 
included  a  token  individual  defendant,  a  VCR  owner  who  was 
the  alleged  direct  infringer.  But  copyright  defenders  did  not 
demand  that  he  pay  damages  or  change  his  behavior.  More 
recently,  the  publishers  have  sought  the  identities  of  individual 
users  of  Internet  file-trading  services,  and  brought  (and  settled) 
suits  against  12-year-olds,  college  students  and  hundreds  of  oth¬ 
ers  alleged  to  be  contributing  unauthorized  files  to  file-swapping 
circles.  The  dragnet  even  caught  71 -year-old  Durwood  Pickle  of 
Richardson,  Texas,  who  found  out  he  was  being  sued  when  the 
Associated  Press  called  him  to  write  a  story  about  it. 

“I’m  not  a  computer-type  person,”  Pickle  told  the  AP.  “They 
come  in  and  get  on  the  computer.  How  do  I  get  out  of  this? 
Dadgum  it,  got  to  get  a  lawyer  on  this.”  (He  blamed  his  grand¬ 
children  for  the  activities,  which  could  well  insulate  him  from 
liability — but  it’s  a  good  bet  he’ll  settle.) 

While  these  suits  against  individuals  make  headlines,  they  do 
not  represent  a  wholesale  strategic  shift  in  which  tens  of  thou¬ 
sands  of  Americans  will  be  served  with  lawsuits.  They  are  meant 
to  set  a  couple  of  high-profile  examples  to  add  teeth  to  “instant 
messaged”  infringement  warnings  conveyed  to  file-swapping 
service  users  over  the  services  themselves,  and  perhaps  to  estab- 


Then  came  the  Net.  With  the  right  software,  indivi 
duals  could  copy  digital  content  perfectly,  quickly 
and  cheaply— and  the  presence  of  a  copyright 
symbol  did  little  to  deter  them  from  doing  so. 


:  3  8 


CIO  OCTOBER  15,  2003 


www.cio.com 


ThinkPad  T40 
2373-72U 


'  Requires  download  of  software  from  IBM.  This  security  provides  an  extra  layer  of  protection  for  your  passwords  and  documents.  No  one  offers  stronger 
security  as  a  standard  feature  on  a  wireless  PC.  IBM  product  names  are  trademarks  or  registered  trademarks  of  International  Business  Machines  Corporation. 
Intel.  Intel  Centrino,  Intel  Inside,  the  Intel  Centrino  logo,  and  the  Intel  Inside  logo  are  trademarks  or  registered  trademarks  of  Intel  Corporation  or  its  subsidiaries 
In  the  United  States  and  other  countries.  All  other  company  names  are  trademarks  of  their  respective  companies.  >  2003  IBM  Corp.  All  rights  reserved. 


IBM  recommends  Microsoft 
Windows  XP  Professional 
for  Business 


What  it  your  data  was  locked  down 
and  mobile  at  the  same  time? 


ThinkPad? 

Where  the  world’s  most  innovative  people  choose  to  think. 


What  if  you  could  combine  the  safety  of  a  locked  office 
with  the  freedom  of  no  office  at  all?  This  ThinkPad8  T40  is 
equipped  with  wireless  Intel®  Centrino™  Mobile  Technology, 
data  encryption  and  embedded  security1  making  it  the 
most  secure  wireless  notebook  in  the  industry? 

So  your  work  can  stay  protected  behind  closed  doors. 
And  you  don’t  have  to  be. 


MOBILE 

TECHNOLOGY 


V  *  *  fag6  f5**  fl"”n  ffr*  f5Ui’ 

v  -  .  . 


Fine  Print 


lish  clear  precedent  of  infringing  network  uses  so  as  to  maximize 
pressure  on  Internet  sites  and  service  providers  that  might  be 
conscripted  into  the  copyright  wars.  Network  carriers  and  those 
creating  network-aware  applications  hate  to  admit  it,  but  they 
can  influence  the  behavior  of  their  users — in  essence,  they  are  the 
copy  shops  and  DAT  makers  of  the  Internet.  The  publishers’ 
strategy  has  worked  in  some  cases  but  not  others. 

For  example,  the  Recording  Industry  Association  of  Amer¬ 
ica  successfully  shut  down  Napster  for  providing  services  to 
netizens  to  facilitate  the  sharing  of  copyrighted  and  public- 
domain  files  alike,  without  taking  steps  to  filter  out  the  for¬ 
mer.  (The  recording  industry  is  not  resting  on  its  legal  laurels. 


It  is  now  suing  the  venture  capital  firm  Hummer  Winblad  for 
daring  to  finance  Napster  under  what  seems  to  be  a  novel 
Matryoshka-doll  theory  of  contributory  contributory  copyright 
infringement.)  The  industry’s  suit  against  Napster’s  technolog¬ 
ical  descendants  Morpheus  and  Grokster  has,  however, 
foundered  in  a  thoughtful — but  probably  soon-to-be-over- 
turned — district  court  holding  and  opinion  that  found  a  num¬ 
ber  of  important  technical  differences  between  the  two 
generations  of  software. 

The  puzzle  for  the  judge  was  that  these  software  products  are 
essentially  small  leveragings  of  the  core  functions  of  the  Inter¬ 
net  itself — golden  spikes  that  complete  a  railroad  built  by  oth¬ 
ers.  (The  Gnutella  client,  a  recent-vintage  bane  of  the  copyright 
industries,  fits  on  a  single  floppy  disk.)  Whatever  the  ultimate 
outcome  of  the  Morpheus  case,  the  fact  is  that  the  Internet  was 
built  to  copy  things.  Almost  every  software  application  that 
capitalizes  on  this  central  functionality  is  therefore  a  Kinko’s  of 
sorts,  and  decreeing  all  search-and-copy  software  to  be  con- 
tributorily  infringing  copyright  is  simply  too  large  a  step  for  a 
court  to  take.  Microsoft  Windows’  “Network  Neighborhood” 
feature,  for  example,  is  simply  a  way  to  swap  files,  and  the 
company  has  promised  that  improvements  to  its  next  version 
of  Windows  will  focus  on  indexing  and  finding  desired  mate¬ 
rial  across  a  network. 

Publishers  have  successfully  lobbied  for  the  introduction  of 
widely  reviled  legislation  to  respond  to  this  problem.  The  pro¬ 
posed  legislation  would  require  software  and  hardware  makers 
to  incorporate  copy  controls  similar  to  those  demanded  of  DAT 
manufacturers  into  PCs  and  other  digital  devices  capable  of 
displaying  content. 


But  publishers  are  also  taking  the  battle  to  other  fronts, 
namely  to  Internet  service  providers,  or  ISPs.  ISPs  have  little 
interest  in  becoming  the  Net  police.  They  exist  to  move  data 
around  or  to  host  it.  A  decently  politically  empowered  group 
in  its  own  right — think  of  the  likes  of  AOL,  Comcast,  MCI, 
Verizon  and,  of  course,  Microsoft — ISPs  obtained  a  federal 
exemption  in  1995  from  nearly  any  liability  under  state  com¬ 
mon  law  for  hosting  defamatory  or  other  harmful  content.  If 
someone  posts  a  message  on  AOL  calling  another  company’s 
CEO  a  cheat  and  a  fraud,  depressing  that  company’s  stock 
price,  AOL  is  under  no  obligation  to  take  down  the  posting, 
even  if  the  company  has  pointed  out  its  manifest  falsity. 

With  copyright,  however,  there  is  no 
such  blanket  exemption  from  liability. 
Among  a  hodgepodge  of  individual  cases 
going  in  different  directions  on  ISPs’  lia¬ 
bility  for  hosting  or  carrying  unautho¬ 
rized  copyrighted  material,  there 
astoundingly  remains  no  clear  statutory 
answer  to  the  question  of  what  is  legally 
required  of  ISPs.  When  ISPs  happen  to  be  companies  or  uni¬ 
versities  giving  their  employees  or  students  Internet  access,  the 
problem  grows.  CEOs  and  network  administrators  receive  lit¬ 
erally  thousands  of  letters  insisting  that  they  stop  allegedly  ille¬ 
gal  activities  on  their  networks.  With  no  one  able  to  give  them 
credible  guidance  on  their  actual  legal  responsibilities,  their  typ¬ 
ical  response  is  to  gravitate  toward  a  statutory  “safe  harbor” 
and  to  take  down  challenged  material — or  to  deny  network 
access  to  anyone  who  is  accused  of  bad  copyright  behavior. 

Finally  Facing  Reality 

How  is  it  that  IT  and  ISP  industries  easily  10  times  the  size  of 
their  publishing  counterparts  are  being  harnessed  to  the  needs 
of  their  little  siblings?  One  answer  is  rooted  in  a  form  of  status 
quoism  that  sees  the  current  allocation  of  rights  and  duties 
under  copyright  as  “fair”  and  the  happenstance  of  technical 
innovation  that  might  displace  it  as  “unfair.”  The  utilitarian 
complement  to  that  argument  is  that  copyright  provides  incen¬ 
tives  for  innovation,  and  if  copyright  is  rendered  ineffective, 
the  creators  create  less  or  cease  altogether. 

What’s  obscured  in  that  analysis  is  due  credit  for  the  long¬ 
standing  status  quo  of  individual  practice  in  spite  of  (and  pre¬ 
viously  simply  alongside)  Title  17. 

The  Net  forces  us  to  confront  the  contradictions  between 
what  the  law  technically  requires  and  what  individuals  do.  Ini¬ 
tial  attempts  to  reconcile  the  two  have  been  disappointing. 
Take,  for  example,  the  new  phenomenon  of  music  webcast¬ 
ing,  a  digital  transmission  of  audio  that  appears  to  the  user 
like  a  traditional  broadcast — except  that  it’s  available  over  a 
computer  network  on  a  computer  screen.  Under  the  1909  copy- 


The  Internet  was  built  to  copy  things,  and  decreeing 
all  search-and-copy  software  to  be  contributorily 
infringing  copyright  is  too  large  a  step  to  take. 


?  4  0 


CIO  OCTOBER  15,  2003 


www.cio.com 


Fte  £d*  View  Create  Page  Text  Window  jHefp 


Wireless  computing. 
No  strings  attached, 


What’s  the  point  of  having  easier  wireless  if  connecting  to  it 
is  so  complicated?  On  this  ThinkPad®  X31  with  Intel®  CentrinoT 
Mobile  Technology,  Access  Connections  ensures  that  settings 
are  automatically  saved  for  different  environments.  Network 
settings  automatically  search  for  the  fastest  connection 
speed.  The  industry’s  easiest  wired  and  wireless  connectivity 
automatically  becomes,  well,  easier. 


ThinkPad? 

Where  the  world’s  most  innovative  people  choose  to  think 


MOBILE 

TECHNOLOGY 


Insert  Home 


Delete  End 
>f 


4— 1  Enter 


Caps  Lock 


■o  Shift 


centrmo 


ThinkPad  X31 
2672-CBU 


IBM  product  names  are  trademarks  or  registered  trademarks  of  International  BusinesfrfiRSltoies  Corporafiopjntelij 

Intel  Centrino.  Intel  Inside,  the  Intel  Centrino  logo  and  Intel  Inside  logo  are  trademarks  or  legists 

Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries.  ■  2003  IBM  Corp,  All  reserved. 


• 

©  '-t, 

i. 

'  Nu»p4Ji 

PrtSc 

ScrLk  F 

'  '  8 

'  P’7  ' 

1  _yam 

•* 

F9 

'mo 

F1 1  '  F 

Fine  Print 


right  law  and  its  progeny,  a  radio  broadcast  of  a  CD  results  in 
money  owed  to  the  songs’  composers  for  the  “public  perform¬ 
ance.”  No  money  is  owed  to  the  record  company,  since  the 
CD  isn’t  copied.  Actually  copying  the  CD  is  a  right  typically 
reserved  to  the  recording  artist  (which  means  the  producing 
record  company)  under  the  1971  law  and  its  progeny,  and  if 
permission  is  granted  (usually  in  exchange  for  money),  a  small 
amount  of  money  is  owed  to  the  composer  of  the  song  for  the 
creation  of  the  mere  copy,  often  extracted  through  a  compul¬ 
sory  license. 


So,  a  perfect  question  for  a  copyright  exam  circa  1997:  Who 
should  collect  when  a  song  is  webcast,  since  it  acts  like  a  broad¬ 
cast  (remember  the  1909  law),  but  technically  speaking,  a  tem¬ 
porary  copy  of  the  song  is  made  in  the  computer’s  memory  (the 
1971  law)?  Should  it  be  the  composer  or  the  record  company? 

In  1998,  Congress  answered  “yes.”  A  webcaster  owes  both. 
How  much  is  owed  to  the  record  company?  Whatever  it  wants 
to  charge,  if  it  wants  to  allow  the  webcast  at  all.  Unless,  of 
course,  a  webcaster  qualifies  for  a  compulsory  license,  by — 
and  this  is  in  the  law — “transmitting  during  any  given  three- 
hour  period  no  more  than  any  of:  (1)  three  different  selections 
of  sound  recordings  from  any  one  CD,  if  no  more  than  two 
such  selections  are  transmitted  consecutively;  (2)  four  different 
selections  of  sound  recordings  by  the  same  featured  recording 
artist  or  from  any  set  or  compilation  of  CDs  distributed 
together,  if  no  more  than  three  such  selections  are  transmitted 
consecutively.” 

Got  that?  Oh,  and  the  webcaster  must  take  care  not  to  pre¬ 
announce  what  songs  are  about  to  be  played.  Hew  to  all  these 
rules,  and  you  still  pay — it’s  just  that  the  rate,  rather  than  being 
set  by  the  record  company,  is  set  under  the  law  by  a  three- 
judge  arbitration  panel  after  taking  weeks  of  testimony,  so  long 
as  the  panel  is  not  (this  really  happened)  overruled  by  a  subse¬ 
quent  act  of  Congress  setting  entirely  different  rates. 

The  Internet  links  people  together  point  to  point,  enabling 
individuals  to  broadcast  as  well  as  to  consume  audio  streams. 


But  they  won’t  broadcast  if  they  can’t  figure  out  how  to  do  so 
lawfully,  or  if  they  can’t  afford  to  do  so  after  being  charged 
twice.  Cheap  software  lets  individuals  create  new  works  from 
the  old,  mixing  and  matching  in  the  finest  traditions  of  jazz 
improvisation.  But  people  won’t  do  it  if  they  receive  a  notifi¬ 
cation  of  termination  of  their  Internet  service. 

Yes,  I  hate  the  effects  of  copyright  on  a  digital  revolution  that 
portends  so  much  more  than  the  banal  act  of  ripping  the  tracks 
off  of  CDs.  I  hate  that  creativity  is  metered  and  parceled  to  its 
last  ounce  of  profit.  I  hate  that  our  technology  is  hobbled  even 

beyond  its  paper  and  other  analog  coun¬ 
terparts  so  that  it  permits  us  to  view  but 
not  print,  listen  but  not  share,  read  once 
but  not  lend,  consume  but  not  create. 

But  I  can  hate  this  situation  without 
believing  that  the  idea  of  copyright  is 
fundamentally  flawed.  The  framers’ 
vision  of  intellectual  property  (then 
simply  called  monopolies)  called  for 
built-in  limits  to  the  exclusive  rights 
intellectual  property  entails,  like  copy¬ 
right  terms  that  expired  even  if  a  work 
was  still  of  commercial  value.  Those 
who  spend  careers  mastering  today’s 
copyright  law  have  become  lost  in  its  detail.  Using  the  obscure 
vernacular  of  specialists,  they  keep  arranging  and  rearranging 
the  sticks  in  the  bundle  of  rights  found  with  Title  17,  building 
ungainly  legal  Tinkertoys  and  then  calling  upon  the  public  to  be 
able  to  follow  each  spoke  and  hub. 

So  why  should  we  care  who  gets  the  merchandising  deal 
from  a  movie  or  the  song  tie-in  on  a  variety  show? 

One  reason  is  that  the  publishers’  sights  are  inevitably  now 
set  on  the  public.  It  is,  for  example,  technically  against  the  law 
for  Girl  Scouts  to  sing  songs  around  a  campfire  without  pay¬ 
ing  royalties.  (The  American  Society  of  Composers,  Authors 
and  Publishers  [ASCAP]  tried  to  collect  such  royalties.  “They 
buy  paper,  twine  and  glue  for  their  crafts — they  can  pay  for 
the  music  too,”  John  Lo  Frumento,  ASCAP’s  chief  operating 
officer,  told  The  Wall  Street  Journal.  ASCAP  backed  off  only 
after  it  faced  public  outrage — which  was  fanned  by  restaura¬ 
teurs  wanting  to  play  the  radio  without  having  to  pay  fees. 
After  a  confusingly  written  press  release  both  denying  that  it 
had  ever  sought  to  ask  any  Girl  Scout  camps  for  money  and 
apologizing  for  asking  the  Girl  Scout  camps  for  money,  it  now 
charges  the  Scouts  $1  a  year,  forgoing  real  profits  while  mak¬ 
ing  it  clear  that  the  girls  sing  the  songs  only  by  ASCAP’s  belated 
good  graces.) 

We  are  in  the  midst  of  a  cultural  war  over  copyright,  in 
which  the  salvos  show  the  complete  disconnect  between  the 
colliding  copyright  regimes  of  statute  and  practicality,  law  and 


Who  should  collect  when  a  song  is  webcast,  since 
it  acts  like  a  broadcast,  but  technically  speaking, 
a  temporary  copy  of  the  song  is  made  in  the 
computer’s  memory?  Should  it  be  the  composer 
or  the  record  company? 

In  1998,  Congress  answered,  “Yes." 


4  2  CIO  OCTOBER  15,  2003  •  www.cio.com 


Jjr-  ipf  H 

k 

We  see  management 
a  little  differently 
from  the  other  guys. 


At  NetlQ,  we  don't  see  a  problem.  Only  solutions. 
Managing  your  Windows  server  environment  is  easier 
than  ever  with  Microsoft  Operations  Manager.  And, 
as  a  key  Microsoft  partner,  NetlQ  extends  Microsoft 
Operations  Manager  to  manage  and  secure  your 
entire  enterprise,  whether  you're  driving  UNIX, 
NetWare,  Linux,  Windows.. .or  all  of  them.  NetlQ. 
We're  the  management  people.  And  nobody  does 
management  smarter.  Nobody. 


CIO  eBook!  Get  your  free  copy  of  From  Chaos  to  Control: 
The  CIO's  Executive  Guide  to  Managing  and  Securing 
the  Enterprise  www.netiq.com/manageability. 


Q. 

net  2D 

Work  Smarter* 


©Copyright  2003  NetlQ  Corporation.  All  rights  reserved. NetlQ  and  the  NetlQ  logo  are  registered  trademarks  of  the  NetlQ  Corporation. 
All  other  names  and  products  mentioned  herein  may  be  the  registered  trademarks  of  their  respective  companies. 


Fine  Print 


life.  A  formal  report  by  a  commission  chartered  by  the  British 
Patent  and  Trademark  Office  suggests,  without  a  trace  of  self- 
consciousness,  that  we  encourage  schoolchildren  to  include  the 
copyright  symbol  on  all  their  homework.  The  Business  Software 
Alliance,  a  commercial  software  industry  group,  just  unveiled 
a  website  for  kids  to  inculcate  the  values  of  Title  17  over  those 
of  consumer  praxis.  There  a  kid  can  play  Piracy  Deepfreeze, 
becoming  a  crusading,  well,  ferret.  “Stop  the  pirates  from  freez¬ 
ing  the  city!  Throw  your  ball  into  the  pirates  and  their  stolen 
software  before  they  hit  the  ground.” 

These  attempts  to  lawyerify  our  culture  won’t  work.  We 
hew  to  laws  against  stealing  because  there  is  already  cultural 


consensus  that  stealing  is  wrong,  rooted  in  the  fact  that  the 
thief  deprives  the  good  citizen  of  the  stolen  property.  To  copy 
an  idea  does  no  such  thing;  wrote  Jefferson,  “he  who  lights  his 
taper  at  mine,  receives  light  without  darkening  me.”  However, 
it  does  indeed  deprive  the  original  author  of  the  ability  to 
monopolize  the  idea  and  perhaps  extract  money  from  it.  That 
can  serve  as  a  reason  to  create  and  enforce  such  a  monopoly, 
but  it’s  not  nearly  as  grounded  in  our  ethical  senses  as  is  rob¬ 
bing  a  bank  or  vandalizing  a  house. 

A  Rational  Call  to  Rational  Action 

It’s  time  for  us  to  wise  up  and  redraw  copyright’s  bound¬ 
aries  so  that  the  law  and  reasonable  public  expectations  fall 
into  better  alignment  with  one  another.  To  be  sure,  this  may 
require  more,  rather  than  less,  subtlety.  We  should  treat  pro¬ 
tections  for  computer  software  in  an  entirely  different  way 
than  music,  for  example,  and  lengthy  copyright  terms  should 
be  available  only  to  those  who  at  least  bother  to  check  in 
with  the  Copyright  Office  every  few  years.  (Joseph  Liu  sug¬ 
gests  incrementally  scaling  down  copyright  protection  as 
each  particular  covered  work  ages.)  But  we  do  ourselves  a 
fundamental  disservice  by  fixating  on  current  income  struc¬ 
tures  and  not  thinking  about  future  possibilities  premised 
on  amazing  technological  advances,  especially  when  the 
rights  at  issue  concern  the  flows  of  ideas,  something  funda¬ 
mental  to  free  societies. 

Scholars  such  as  William  Fisher  of  Harvard  Law  School 
have  floated  ideas  as  sensible  as  they  are  radical — not  to  men¬ 
tion  offensive  to  almost  every  interest  in  the  copyright  debates, 
from  publisher  to  middleman  to  anarchist.  He  suggests  in  an 


upcoming  book  that  ISPs  remit  to  publishers  a  fee  loosely  based 
on  the  amount  of  copyrighted  digital  content  that  they  are 
roughly  calculated  to  be  carrying,  at  which  point  people  can 
trade  music  to  their  hearts’  content.  (Note:  Although  Fisher’s 
book,  Promises  to  Keep ,  is  not  due  out  until  next  summer,  you 
can  read  an  excerpt  from  its  publisher,  Stanford  University 
Press;  find  the  link  at  www.cio.com/prmtlinks.) 

Such  reworkings  of  copyright  will  have  costs  to  someone — 
they  wouldn’t  be  reworkings  if  they  didn’t.  In  the  absence  of 
tough  copyright  controls,  investors  may  decide  not  to  under¬ 
write  a  $200  million  blockbuster  film  because  copying  of  the 
final  product  may  unduly  reduce  their  expected  profit.  (As 

Eben  Moglen  once  said,  “Society  has 
been  vastly  underproducing  pyramids 
since  the  time  of  the  pharaohs.”  The 
economic  and  social  system  that  made 
pyramid  production  sensible  simply 
doesn’t  exist  anymore,  and  no  one 
seems  to  miss  it,  even  if  we’re  a  few  pyr¬ 
amids  short  of  where  we’d  like  to  be.) 

The  cost  of  making  no  change  at  all  must  also  be  soberly 
assessed,  all  the  more  so  because  the  Internet  heralds  such  a 
staggering  potential  for  the  rapid  transformation  and  evolu¬ 
tion  of  ideas.  This  is  not  about  the  crass  ripping-off  of  CD 
tracks  but  about  a  possible  Jazz  Age  of  creation  enabled  by 
technology. 

I  pay  my  taxes.  I  have  no  idea  how  to  calculate  them,  but  I 
do  what  TurboTax  tells  me  to.  I’ll  pay  a  copyright  tax  too  and 
willingly  support  artists  whose  work  I  appreciate,  because  it’s 
the  right  thing  to  do,  and  because  it  guarantees  that  more  work 
will  be  made  available  to  me.  I’m  not  alone. 

So,  let’s  imagine  a  world  in  which  Teddy  Ruxpin  can  say 
whatever  he  wants,  where  kids  can  play  and  create  with  com¬ 
puters  that  have  not  been  hobbled  by  overly  zealous  digital 
lockdowns,  where  bars  and  restaurants  can  have  big  TVs  and 
stop  measuring  their  parking  lot  patios,  and  where  amateur 
webcasters  can  create  thousands  of  radio  stations  featuring 
songs  we  like,  perhaps  ones  that  sound  familiar  but  that  have 
entirely  new  elements  to  them.  We’ll  still  buy  concert  tickets, 
books  and  even  CDs,  and  their  digital  descendants. 

They’ll  be  competing  with  a  lot  more,  though — that  which 
is  created  for  fun,  not  just  for  profit.  BE1 

This  work  is  licensed  under  a  Creative  Commons  License 
(creativecommons.org). 


Jonathan  Zittrain  is  assistant  professor  of  law  and 
codirector  of  Harvard  Law  School's  Berkman  Center 
for  Internet  &  Society.  His  research  includes  digital 
property,  privacy  and  speech.  Send  feedback  to 
letters@cio.com. 


It’s  time  for  us  to  wise  up  and  redraw  copyright’s 
boundaries  so  that  the  law  and  reasonable  public 
expectations  fall  into  better  alignment. 


f  4  4  CIO  OCTOBER  15,  2003  •  www.cio.com 


THERE  MAY  BE  A 
BIGGER  INDEPENDENT 
INTEGRATION 

SOFTWARE  PROVIDER 

OUT  THERE 
SOMEWHERE. 


BUT  UNTIL  SCIENTISTS 
MAKE  CONTACT,  WE  PROUDLY 
OFFER  THE  SERVICES  OF  THE 
EARTH’S  LARGEST. 

TIBCO  Software  has  made  real-time  business 
and  integration  a  reality  for  more  than  2,000 
leading  companies.  The  reasons?  Our  proven, 

comprehensive,  and  easily-deployed  solutions.  To  discover  why  TIBCO  continues 
to  be  chosen  over  all  the  integration  providers  out  there,  call  800-420-8450  or 
visit  www.tibco.com. 

The  Power  of  Now™ 


Edited  by 
Christopher 
Lindquist 


From  Inception  to  Implementation- IT  That  Matters 


Business 
Transformation 
Outsourcing 
promises  technical 
innovation— if  you 
set  expectations 
properly  and  can 
stomach  the  risk 


Welcome  to  Essential  Technology 

the  expanded  successor  to  our  popular 
Emerging  Technology  section.  Check 
here  for  in-depth  stories  and  opinion 
about  critical  technology  for 
today's  enterprise. 


Betting  on  BTO 

BY  DAVID  L.  MARGULIUS 

OUTSOURCING  |  Ask  most  CIOs  about  the  biggest  benefits  of  outsourcing  relationships, 
and  “innovation”  is  unlikely  to  top  their  lists.  Conventional  wisdom  holds  that  outsourcers 
can  do  only  what  they’re  told — they  can  help  reduce  costs  and  manage  technology  efficiently, 
but  they  can’t  innovate  or  help  a  company  use  IT  to  transform  the  way  it  does  business. 

But  a  new  marketing  push  by  some  of  the  largest  IT  outsourcers  is  aiming  to  change  that 
belief.  Dubbed  Business  Transformation  Outsourcing,  or  BTO,  the  providers  claim  that  new 
types  of  outsourcing  relationships  can  help  initiate  technology-based  business  transforma¬ 
tions — rather  than  simply  lowering  costs. 

It’s  too  early  to  tell  if  BTO  will  deliver  on  its  promise  or  just  turn  out  to  be  a  ploy  to  sell  strat¬ 
egy  consulting  on  top  of  traditional  IT  services,  but  the  term’s  very  existence  is  another  clear 
indicator  that  enterprises  are  seeking  creative  ways  to  get  consultants  to  assume  more  risk  and 
responsibility  for  delivering  business  innovation. 

An  Innovative  Edge? 

“The  idea  that  you  continue  to  have  joint  accountability  and  vested  interest  in  what  happens 
seems  to  make  a  lot  of  sense,”  says  Lou  Delery,  vice  president  of  operations  for  AT&T  Con- 


146  CIO  OCTOBER  15,  2003  •  www.cio.com 


ILLUSTRATIONS  BY  ANDREW  STEWARD 


The  Business  Objects  logo  and  BusinessObjects  are  trademarks  or  registered  trademarks  of  Business  Objects  SA.  ©2003  Business  Objects  SA.  All  rights  reserved. 


End-to-end  business  intelligence. 
One  BI  vendor.  IT  nirvana. 


£ 


Business  Intelligence  from  Business  Objects 


There  are  basically  two  ways  for  IT  to  implement 
your  enterprise  business  intelligence  solution. 

You  could  try  to  cobble  together  pieces  from 

-nHrtlon  D  e//„e 

multiple  vendors.  Or  you  can  choose  "  * 

BusinessObjects1'  Enterprise  6  from 
Business  Objects.  And  experience 
end-to-end  business  intelligence 
for  your  entire  enterprise. 

With  Enterprise  6,  you'll  be  able  to  provide  a 
complete  suite  of  integrated  business  intelligence 
software  that  meets  the  needs  of  all  your  users. 

It  includes  the  industry's  best  web  query 
reporting,  and  analysis  capabilities.  The  most 


Data  Sources 


advanced  and  complete  suite  of  analytic 
applications.  The  best  packaged  application 
connectivity.  And,  of  course,  end-to-end  product 
integration.  Today,  more  than  17,500 
companies  rely  on  award-winning 
Business  Objects  business  intelligence 
solutions  to  track,  understand,  and 
manage  enterprise  performance. 
Perhaps  you  should,  too.  To  get  started,  view  our 
BusinessObjects  Enterprise  6  interactive  product 
demonstration  or  download  our  free  technical 
white  paper  at  www.businessobjects.com/e2e. 
And  indulge  yourself  in  IT  nirvana. 


BusinessObjects 


sumer  Services,  describing  a  BTO-like  struc¬ 
ture  he  calls  “cosourcing”  that  his  company 
chose  for  a  $2.6  billion  deal  with  Accenture. 

While  stopping  shy  of  an  actual  joint  ven¬ 
ture,  the  deal’s  structure  aims  to  reward  con¬ 
sultants  for  delivering  ongoing  innovation  by 
creating  a  new  organization  staffed  by  both 
AT&T  and  Accenture  employees,  with  its  own 
pro-forma  P&L  and  gain-sharing  provisions, 
according  to  Delery.  Technology  investment 
decisions  are  guided  by  a  quarter-to-quarter 
master  plan  and  financial  metrics. 

The  genesis  of  the  deal,  he  says,  was  AT &T’s 


realization  that  it  had  fallen  behind  on  key  tech¬ 
nologies  in  its  consumer  sales  and  customer 
care  operations — such  as  CRM,  personaliza¬ 
tion  and  self-service — and  that  it  needed  a 
partner  to  help  it  deploy  innovative  technolo¬ 
gies  quickly  and  strategically  to  achieve 
business  goals  such  as  customer  retention. 

“Technology  had  changed  dramatically,  and 
[our]  ability  to  serve  customers  was  lagging  a 
little  bit,”  says  Delery.  At  the  same  time,  how¬ 
ever,  he  adds  that  AT &T  knew  that  “  one  of  the 
things  you  have  to  be  very  careful  about  with 
outsourcing  was  taking  a  part  of  your  business 
and  giving  it  to  another  company.  ”  So  in  nego¬ 
tiating  the  deal,  the  company  made  sure  it 
would  retain  all  control  over  business  direction, 
marketing  strategies,  product  offering  defini¬ 
tions  and  the  “customer  experience  blueprint.  ” 

“Cosourcing  allows  you  to  retain  quite  a 
bit  of  control,”  says  Delery,  while  also  creating 
the  right  incentives  for  ongoing  innovation  on 
the  part  of  outsourcers.  “They  have  an  incen¬ 
tive  to  make  the  technology  work  even  [bet¬ 
ter].  There’s  a  certain  committed  investment 
that  they’re  making  and  we’re  making.”  The 
deal  structure  also  helped  AT&T  reduce  its 
up-front  capital  outlays  and  retain  IT  talent 
within  AT&T,  Delery  claims.  AT&T  has 


subsequently  added  a  similar  $500  million 
deal  with  Accenture  for  credit  and  accounts 
receivable  management. 

Benefits  of  Offshore 

Other  enterprises  have  attempted  to  reap  the 
benefits  of  outsourced  innovation  using  more 
traditional  deal  structures.  In  1999,  when  Ron 
Glickman  became  senior  vice  president  and 
CIO  of  San  Francisco-based  DFS  (Duty  Free 
Shoppers)  Group,  a  unit  of  Moet  Hennessy 
Louis  Vuitton,  he  found  that  the  IT  operation 
was  badly  in  need  of  a  transformation.  “The 


organization  was  perceived  as  a  cost  to  be 
minimized  and  not  very  strategic,”  he  says, 
and  it  was  split  into  10  different  regions  sup¬ 
porting  the  company’s  luxury  products  stores. 

Glickman  quickly  started  exploring  oppor¬ 
tunities  to  remove  cost  and  improve  service. 
“It  was  clear  to  us  from  the  beginning  that  we 
had  to  do  both,”  he  says.  So  he  created  a  map 
that  involved  outsourcing  key  IT  processes 
such  as  systems  development  to  Cognizant 
Technology  Solutions,  a  vendor  with  exten¬ 
sive  offshore  development  capabilities. 

Glickman  then  negotiated  a  three-year  deal 
that  commits  a  guaranteed  revenue  stream  to 
Cognizant  with  the  capability  to  add  projects 
on  a  pay-as-you-go  basis.  “We  don’t  do  gain- 
sharing  [as  does  AT&T],”  says  Glickman, 
“  but  as  they  come  up  with  ideas  to  reduce  our 
costs,  we  redeploy  some  of  those  dollars  into 
other  projects.” 

Thirty  percent  of  the  Cognizant  team  is  dis¬ 
persed  throughout  DFS’s  operating  environ¬ 
ments,  and  70  percent  is  offshore,  mainly  in 
India.  The  result?  “It’s  working  great,”  says 
Glickman,  who  points  to  specific  technology 
successes  driven  by  Cognizant  recommenda¬ 
tions.  DFS  had  legacy  merchandising  systems 
running  in  1 0  different  locations,  for  example, 


BTOTips 

Thinking  about  doing  a  Business 
Transformation  Outsourcing 
deal?  Here  are  some  tips  from 
CIOs  who’ve  been  through  it. ' 

Look  in  the  mirror,  and  clearly  define  your 
goals  and  objectives.  What  are  your  strate¬ 
gic  goals  and  requirements?  What's  core  to 
success  in  your  business,  and  what's  not? 
What  technology  innovation  do  you  need  to 
leverage  during  the  next  five  years  to  com¬ 
pete  successfully?  Develop  a  vision  that 
includes  a  technology  investment  road  map 
and  a  clear  understanding  of  the  transfor¬ 
mation  you  want  to  achieve. 

Develop  the  right  deal  structure.  Leverage 
an  experienced  third  party  to  help  you  design 
the  right  structural  deal  framework.  Give  the 
vendor  financial  incentives  for  finding  cre¬ 
ative  ways  to  drive  technology  innovation  to 
support  your  business.  Set  strategic  goals  in 
addition  to  financial  targets,  and  measure 
success  by  outcomes  rather  than  inputs.  Use 
a  gain-sharing  mechanism  to  achieve  the 
right  risk-reward  balance. 

Build  strong  relationships  and  governance. 

Find  a  BTO  vendor  that  fits  your  value  sys¬ 
tem  and  one  for  whom  you  will  be  a  signifi¬ 
cant  (but  not  necessarily  the  biggest)  client. 
Build  strong  relationships  between  your 
executives  and  the  vendor's.  Treat  it  like  a 
partner,  iet  it  make  mistakes,  and  take  a 
long-term  view  on  sharing  risk  and  reward. 
Bake  flexibility  into  the  governance  mecha¬ 
nism  so  that  you  can  modify  the  agreement 
as  you  go. 

Keep  control.  Retain  control  over  core  strat¬ 
egy,  planning,  decision  making,  product 
definition  and  key  IT  outcomes.  Focus  on 
retaining  and  motivating  key  internal  IT 
talent.  Make  sure  your  vendor  is  precluded 
from  working  with  your  key  competitors. 

And  take  your  time  to  make  decisions  when 
negotiating  the  deal— there's  a  lot  at  stake  in 
getting  it  right!  -D.M. 


It’s  too  early  to  tell  if  BTO  will  deliver 
on  its  promise  or  just  turn  out  to  be  a 
ploy  to  sell  strategy  consulting  on  top 
of  traditional  IT  services. 


1,4  8  CIO  OCTOBER  15,  2003  •  www.cio.com 


The  perfect  balance. 

High  performance  equals  high  price.  Right? 
Wrong.  LEGATO  backup  and  recovery 
software  delivers  the  high-end  performance 
you  need  to  turn  your  data  into  business 
success.  And  does  so  at  a  cost  that  makes 
LEGATO  an  unsurpassed  value. 

Problem  Solved. 


H  LEGATO 


the  leader  in  open  software  solutions  for  Information  Management" 


www.LEGATO.com 


©2003  LEGATO  Systems,  Inc.  LEGATO  and  the  LEGATO  logo  are  registered  trademarks  of  LEGATO  Systems,  Inc.  All  other  trademarks  are  the  property  of  their  respective  owners. 


which  Cognizant  was  able  to  consolidate  onto 
a  single  IBM  AS400.  Glickman  says  the  ven¬ 
dor  also  found  a  way  to  rearchitect  DFS’s  data 
warehouse  environment  for  faster  reporting 
and  a  single  view  of  enterprisewide  data. 

BTO,  Ill-Defined? 

According  to  Agilent  Vice  President  and  CIO 
Marty  Chuck,  who  led  his  IT  team  through  a 
major  transformation  when  the  company 
spun  out  from  Hewlett-Packard  in  1999, 
transformation  outsourcing  is  a  concept  that 
exists  in  the  eyes  of  the  beholder. 

“One  person’s  outsourcing,  or  manage¬ 
ment  consulting,  or  vendor  software  purchase 
is  business  transformation  to  them,”  says 
Chuck.  “You  do  BTO  for  a  couple  of  rea¬ 
sons — improve  capabilities,  reduce  cost,  lower 
risk.  You’re  either  transforming,  or  you’re  out¬ 
sourcing,  or  your  doing  both — they’re  neither 
mutually  exclusive  nor  married.” 

To  help  facilitate  the  Agilent  divestiture, 
Chuck  cloned  a  copy  of  HP’s  IT  infrastruc¬ 
ture.  Unfortunately,  that  design  was  twice  as 
expensive  and  10  times  the  complexity  of 
what  the  new  company  would  ultimately 
need.  It  was  also  burdened  with  thousands  of 
legacy  applications.  So  Chuck  turned  to  a 
group  of  trusted  vendors  to  help  drive  a  trans¬ 
formation.  “We  kind  of  got  a  kick  in  the  rear 
when  we  left  HP  to  fundamentally  transform 


sisting  of  fewer  integrated  applications,  such  as 
ERP,  that  could  serve  as  the  basis  for  further 
innovation.  The  end  result  was  a  50  percent 
reduction  in  IT  spending  while  maintaining 
“substantially  the  same”  service  levels. 

“Before,  we  pretty  much  kept  our  body 
shop  vendors  at  arm’s  length,”  explains 
Chuck,  describing  Agilent’s  deepening  BTO 
relationship  with  Deloitte  Consulting  (and  the 
other  select  vendors).  “Now  [we’re]  begin¬ 
ning  to  use  them  to  help  put  together  an  inte¬ 
grated  IT  strategy.  Our  relationship  with  them 
is  much  more  involved.  The  value  is  much 
higher.”  In  addition  to  helping  to  identify 
growth  opportunities  and  figure  out  how  to 
prioritize  projects,  says  Chuck,  “they  tell  me 
everything  that  is  going  on  in  my  organization 
that  does  not  align  with  my  strategy.” 

Chuck’s  conclusion?  “As  much  as  IT 
organizations  like  to  believe  that  they’re  inno¬ 
vators,  they  can’t  innovate  as  fast  as  partners 
who  are  deeper  in  the  areas  they  want  to  inno¬ 
vate,”  Chuck  explains.  “I  can  do  IT  better  by 
knitting  together  vendors.  ” 

Buzzword  du  Jour? 

Despite  its  promise,  the  BTO  concept  cer¬ 
tainly  has  critics.  “BTO  promises  to  solve  all 
the  problems  you  don’t  know  you  have  yet,” 
says  Stan  Lepeak,  a  vice  president  in  the  tech¬ 
nical  services  practice  at  Meta  Group.  “It’s  a 


Unlike  traditional  outsourcing, 
there  are  no  standard,  cookie-cutter 
structures  for  BTO  deals— 
every  one  is  unique. 


ourselves,”  says  Chuck,  who  realized  he 
needed  to  make  dramatic  changes  quickly  to 
resize  and  rationalize  the  infrastructure. 

Chuck  began  by  consolidating  Agilent’s 
technology  spending  so  that  it  could  be 
“pointed  at  our  significant  partners” — a  small 
handful  of  major  vendors  such  as  Oracle  and 
Deloitte  Consulting.  He  then  proceeded  to 
involve  those  vendors  in  helping  drive  the  com¬ 
pany’s  transformation  to  an  environment  con¬ 


very  nebulous  term.  ”  Lepeak  isn’t  convinced 
an  outsourcer  can  take  over  an  IT-driven  busi¬ 
ness  process  and  also  transform  it.  “Three  to 
five  years  down  the  road,  how  do  I  know  that 
I’ll  still  be  competitive?”  he  asks. 

He  cites  the  challenges  of  measuring  BTO’s 
success  without  clear  benchmarks,  motivat¬ 
ing  and  retaining  internal  leaders  who  are  left 
with  only  a  skeleton  staff,  and  managing  com¬ 
petitive  conflicts  with  vendors  who  may  be 


Megadeals, 
or  outsourcing 
contracts  worth 
npre  than 

llB, 

increased  from 
8  in  2001  to 
11  in  2002. 

SOURCE:  IDC 


servicing  multiple  industry  players. 

“The  pieces  are  really  just  being  put 
together,”  Lepeak  says.  “It’s  a  natural  next 
step,  but  we’re  looking  at  a  five-  to  10-year 
maturation  process.”  He  says  vendors  that 
require  a  steady  diet  of  big  deals  are  currently 
pushing  BTO.  “It’s  a  way  of  saying  we  want  to 
kind  of  run  a  lot  of  their  business,”  he  says. 

Others  claim  that  the  value  in  BTO-type 
deals  actually  lies  less  with  vendor  innovation 
than  with  access  to  state-of-the-art  third-party 
technology,  which  lets  enterprises  fundamen¬ 
tally  restructure  labor-intensive  functions  and 
more  quickly  introduce  innovations  at  a  lower 
cost.  Peter  Bendor-Samuel,  CEO  of  Everest 
Group,  a  Dallas-based  outsourcing  advisory 
company,  cites  the  example  of  HR,  “a  busi¬ 
ness  process  that’s  chronically  underinvested. 

“Are  we  really  innovating  in  HR?” 
Bendor-Samuel  asks.  “We  are,  but  we’re  all 
doing  it  the  same  way.  You  have  an  opportu¬ 
nity  for  a  big  investment  to  be  leveraged  across 
industries.”  He  claims  that  BTO-type  deals 
will  allow  enterprises  to  leverage  “other 
people’s  money” — capital  investments  by 
outsourcers  in  new  technology  platforms  that 
support,  for  example,  customer  or  employee 
self-service  capabilities. 

“If  the  suppliers  would  just  stick  to  that 
story,  that’s  where  the  real  value  is,”  claims 
Bendor-Samuel,  implying  that  the  “innova¬ 
tion”  component  of  the  BTO  pitch  is  just 


0  CIO  OCTOBER  15,  2003  •  www.cio.com 


@2003  Opsware  Incorporated.  All  Rights  Reserved 


EDS  EXPECTS  $100,000,000  IN 
PRODUCTIVITY  SAVINGS. 


YOU  CAN  TOO. 


Using  Opsware,  EDS  is  automating  more  than  15,000 
servers  worldwide.  And  only  EDS  Automated  Hosting 
offers  clients  a  100%  uptime  guarantee. 


It’s  here.  Truly  automated  IT. 


Xerox  Minds  Its  MEMS 


marketing  hype.  “The  reason  they’re  try¬ 
ing  to  lead  you  down  the  other  garden  path 
is  they  want  the  extra  margin  for  the  cus¬ 
tomization  piece  of  it,”  he  says. 

It’s  All  About  Structure 

Unlike  traditional  outsourcing,  the  indus¬ 
try  has  not  yet  developed  standard  struc¬ 
tures  for  BTO  deals — each  is  unique. 
Regardless,  customers  and  vendors  say  a 
deal’s  structure  is  a  key  to  success. 

Business  transformation  is  “not  just 
smart  people  sitting  around,  but  about  trac¬ 
tion,  getting  it  to  work,”  says  Agilent’s 
Chuck.  “The  creativity  part  I  think  I  can  buy; 
the  innovation  is  about  having  a  governance 
structure,  weaving  the  great  ideas  into  sup¬ 
porting  your  company’s  strategy.  You  have 
to  have  a  very  clear  governance  model.” 

Many  BTO  deals  are  structured  as  joint 
ventures  or  close  variants.  “These  have  to 
be  gain-sharing  deals,”  insists  Meta  Group’s 
Tepeak.  “It  can’t  be  an  us-and-them;  it  has 
to  be  a  we.  It  doesn’t  need  to  be  a  joint  ven¬ 
ture,  but  it  has  to  be  pretty  darn  close.  ” 

The  best  BTO  deals  incorporate  stan¬ 
dard  outsourcing  terms  such  as  operating 
and  service-level  agreements,  clear  defini¬ 
tions  of  roles  and  responsibilities,  and  incen¬ 
tives.  And  they  also  provide  mechanisms  for 
dealing  with  total  unknowns.  “You  want 
to  be  able  to  modify  what  you  have,”  says 
AT&T’s  Delery,  who  says  his  company’s 
deal  with  Accenture  allows  either  side  to 
come  to  a  steering  committee  and  say,  “  Our 
business  or  your  business  has  changed,” 
and  to  discuss  what  that  shift  means  for  the 
relationship. 

Whether  BTO  will  become  a  dominant 
form  of  outsourcing  relationships  remains 
to  be  seen.  However,  it  is  clear  that  the  bar  is 
being  raised  on  the  outsourcing  community 
by  its  own  marketing  initiatives.  And  CIOs 
should  be  ready  to  wring  every  advantage 
out  of  the  new  reality. 


David  L.  Margulius  is  a  San  Francisco-based  writer 
and  analyst  focused  on  enterprise  IT.  He  can  be 
reached  at  dave@enterpriseinsight.com.  Essential 
Technology  Editor  Christopher  Lindquist  is  avail¬ 
able  at  cl indquist@cio.  com . 


OPTICAL  SWITCHES  |  If  you  th  ink 

your  data  center  is  too  crowded,  pay 
attention  to  researchers  at  Xerox,  who  hope 
to  make  optical  switches  much  smaller  than 
today’s  devices.  The  secret  lies  in  a  technol¬ 
ogy  called  optical  MEMS,  or  micro- 
electrical-mechanical  systems. 

Silicon  transistors  grow  smaller  and 
faster  by  the  hour,  it  seems,  based  on  the 
power  of  new  chips.  But  chips  can’t  move 
objects  or  sense  a  change  in  the  environ¬ 
ment.  They  are  essentially  extremely  power¬ 
ful  calculators. 

A  MEMS  device,  however,  combines  the 
computational  power  of  a  chip  with  the 
sensing  and  directing  ability  of  a  mechani¬ 
cal  device.  And  now  a  group  at  Xerox  is 
working  on  MEMS  devices  that  can  move 
light  beams  in  order  to  route  traffic  around 
a  network. 

Current  networking  technology  does  this 
with  a  rack  of  expensive,  complicated  equip¬ 
ment,  says  Joel  Kubby,  technical  manager 
and  leader  of  Xerox’s  MEMS  group.  And  the 
traffic  that  flows  across  a  network  has  to  be 
placed  on  a  particular  electrical  path,  he 


notes.  A  MEMS  device  could  perform  the 
same  function  in  the  optical  domain, 

Kubby  claims. 

Optical  switches  exist  today,  but  they 
have  to  convert  optical  beams  to  electrical 
current,  then  convert  those  back  Into  optical 
signals.  Optical  switches  based  on  MEMS 
devices  could  work  in  an  all-optical  environ¬ 
ment,  thereby  satisfying  the  three  magic 
requirements  for  new  hardware:  Make  it 
smaller,  faster  and  cheaper. 

Other  potential  uses  for  MEMS  devices 
include  printing,  where  a  MEMS-based  print 
head  could  replace  the  expensive  parts  cur¬ 
rently  used  to  arrange  colors  on  sophisti¬ 
cated  printing  jobs.  MEMS  devices  may 
aiso  become  part  of  the  solution  to  the 
"last  mile"  effort  to  bring  broadband 
pipes  directly  into  consumers’  homes  by 
replacing  the  more  expensive  and  space¬ 
consuming  equipment  necessary  to  route 
optical  signals.  The  same  technology  could 
also  iet  IT  managers  access  data  stored  off¬ 
site  quickly  and  directly,  enabling  extremely 
efficient  remote  backup  procedures. 

-Tom  Kraz  it 


Linux  is  in  the  on  demand  world 


We  can.  And  that’s  why  we  have  more  Linux -related  hardware,  software  and  service 
solutions  than  anyone.  With  thousands  of  Linux  customer  engagements  to  our  credit,  we 
have  the  scope,  knowledge  and  experience  to  help  with  Linux  solutions  for  your  world. 
To  learn  more  about  IBM,  Linux  and  (^business  on  demand  visit  ibm.com/linux/seeit 


IBM,  the  e-business  logo  and  e-business  on  demand  are  trademarks  or  registered  trademarks  of  International  Business  Machines  Corp. 
in  the  United  States  and/or  other  countries.  Linux  is  a  registered  trademark  of  Linus  Torvalds  in  the  United  States  and/or  other  countries. 
/  2003  IBM  Corporation.  All  rights  reserved. 


iiftk 


IB 


L 


MJWMn 


You  Want 
Wi-Fi  with  That? 

BY  ERIC  KNORR 

Roadside  wireless  options  abound— even  at 
McDonald's— but  can  you  let  users  take 
advantage  and  still  keep  your  systems  safe? 


WIRELESS  I  McDonald’s  might  seem  like 
the  last  place  on  earth  where  someone  would 
try  to  hack  your  enterprise  network.  But 
watch  out:  That  clown  at  the  comer  table  with 
the  widescreen  laptop  and  the  supersize  fries 
could  be  using  your  employee’s  Wi-Fi  con¬ 
nection  to  plunder  your  corporate  nuggets. 

Yes,  for  a  few  dollars  an  hour,  some  McD’s 
locations  really  do  offer  Internet  access  via  Wi¬ 
Fi — but  you’d  never  let  an  employee  make  a 
corporate  connection  through  a  wireless  hot 
spot.  Or  would  you?  Wi-Fi  is  becoming  as 
much  a  part  of  the  culture  as  the  mobile 
phone.  Eventually,  nothing  will  stand  in  the 
way  of  providing  employees  with  ubiquitous 
high-speed  access  to  everything  they  need  for 
work,  even  while  they’re  sipping  a  shake. 

In  truth,  hot-spot  security  risks  differ  very 
little  from  those  inherent  in  any  remote  Inter¬ 
net  connection  to  your  network.  To  stop 
hackers  you  need  a  personal  firewall.  To  repel 
those  who  would  dip  into  the  communica¬ 
tions  stream,  you  must  use  a  VPN.  With  these 
tools  in  place,  the  security  risks  plunge — and 
all  the  scary  talk  about  lame  Wired  Equiva¬ 
lent  Privacy  ( WEP)  encryption  and  unfinished 
wireless  security  standards  disappears. 

The  problems  of  securing  remote  wireless 
access  lie  in  deployment  and  maintenance — 
things  such  as  dedicating  servers  and  routers 
to  VPN  hosting.  Most  important,  you  need 
to  figure  out  how  to  migrate  your  company’s 
security  policy  to  the  far  reaches  of  remote 


access  so  that  users  must  use  the  protection 
you’ve  installed  on  their  machines. 

Confronted  with  such  hassles,  many  com¬ 
panies  are  turning  to  managed  remote  access 
services  to  deploy  VPNs  and  other  protective 
measures.  The  big  telecoms,  particularly 
AT &T,  have  been  active  in  this  area.  But  man¬ 
aged  remote  access  has  become  a  hot  target 
for  carrier-independent  startups  as  well,  with 
such  insurgents  as  Aventail,  Fiberlink,  Gric, 
iPass  and  TManage  garnering  attention. 
Those  players  have  cut  deals  across  the  major 
network  service  providers,  including  those 
that  run  hot  spots,  providing  a  big  virtual 
network  for  end  users.  And  they  can  deliver 
complete  remote  access  solutions  to  enter¬ 
prises  tailored  to  individual  security  policies. 

Saving  Time  and  Money 

All  of  these  service  providers  put  managed 
remote  authentication  at  the  center  of  their 
value  propositions.  This  service  is  handled  by 
one  of  their  preconfigured  servers  ensconced 
in  your  data  center.  It  uses  your  authentica¬ 
tion  database  to  validate  remote  clients,  which 
run  a  proprietary  bundle  of  VPN,  firewall  and 
antivirus  software.  In  other  words,  they 
shoulder  the  burden  of  deploying  and  main¬ 
taining  all  that  nasty  stuff.  And  the  software 
suite  can  enforce  your  security  rules,  such  as 
not  allowing  a  client  to  fire  up  the  VPN  unless 
the  firewall  and  antivirus  software  is  running. 
In  addition,  the  software  is  intended  to  make 


In  truth,  hot¬ 
spot  security 
risks  differ  very 
little  from  those 
inherent  n  any 
remote  Internet 
connection  to 
your  network. 


-Eric  Knorr 


connection  and  authentication  as  simple  as 
possible  for  the  client — not  a  characteristic 
most  people  associate  with  VPNs. 

Another  benefit  is  that  managed  access 
services  also  consolidate  billing.  It  doesn’t 
matter  whether  clients  connect  from  a  hot 
spot,  dial-up  or  hotel  room — or  which  net¬ 
work  owns  the  pipe.  It  all  goes  on  one  bill. 

All  of  this  dovetails  nicely  with  the  trend 
toward  telecommuting  as  well  as  computing 
in  public  places.  Laptops  have  surged  in  pop¬ 
ularity  as  primary  machines,  providing  a  de 
facto  invitation  to  employees  to  carry  their 
work  out  of  the  office.  When  people  do  that, 
you  want  to  give  them  more  than  e-mail — you 
want  to  provide  them  with  real  access. 

Personally,  I  wouldn’t  wish  a  couple  of 
hours  at  McDonald’s  on  anyone.  But  the  free- 
roaming  world  is  upon  us,  so  whether  users 
connect  at  Starbucks,  an  airport  lounge  or  the 
family  room,  a  secure  machine  and  its  con¬ 
nection  are  essential.  Anything  that  soothes 
the  security  worries  of  an  increasingly  dis¬ 
tributed  workforce  is  a  good  thing. 


Eric  Knorr  is  a  freelance  technology  writer  based  in  San 
Francisco.  He  can  be  reached  at  eknorr@pacbell.net. 


154  CIO  OCTOBER  15,  2003  •  www.cio.com 


PHOTO  BY  EDWARD  CALDWELL 


The  Year  Ahead 


What  are  our  Issues  ►  Ideas  ►  Impact 

vulnerabilities? 


What  are  our 
options? 


WHERE 

JW  Marriott  Desert  Ridge  Resort 
&  Spa,  Phoenix,  AZ 


What  are  WHEN 

November  2-4,  2003 


What  are  our 
peers  doing? 

Wbai 


REGISTER  NOW 

www. CIO.com/conferences 
800.366.0246 


.  c>°  *  ^ 


CIO  1 04— a  CIO  Perspectives^ Conference 

In  order  to  ensure  a  true  peer  group  experience,  attendees  must  meet 
CIO  Executive  Programs'  qualifications. 


Presented  by 


The  Resource  for 
Information  Executives 


CIO  04 

forward-looking 

major  trends 

The  Year  Ahead 


Issues  ►  Ideas  ►  Impact 


WHERE 

JW  Marriott  Desert 
Ridge,  Resort  &  Spa, 
Phoenix,  AZ 

WHEN 

November  2-4, 2003 


The  Economy 

►The  Global  Economy: 
Fortune  Favors  the  Bold 

Lester  Thurow,  Author  &  Professor  of  Management 
&  Economics,  MIT  Sloan  School  of  Management 


TO  APPLY 
www.cio.com/ 
conferences  or 
800.366.0246 


art, 

°  JfW  oo4-  i-P 
^eo-fPs.  iscw 


The  global  economy  is  linking  the  fortunes  of  every 
nation  on  every  continent— for  good  or  for  ill.  Its 
hallmark  is  a  rising  instability  and  a  growing  inequal¬ 
ity  between  the  first  and  third  worlds.  The  US  and 
other  first  world  economies  are  in  ever  more  frantic 
boom  and  bust  cycles.  Financial  crises  in  the  third 
world  come  frequently  and  are  increasingly  severe. 
The  spread  of  globalization  provokes  riots,  civil 
disobedience,  and  is  a  factor  in  the  rise  of  terrorism. 
Now,  Thurow  argues,  is  the  time  to  do  something  to 
change  all  this  —before  it’s  too  late.  Today,  we  are  at 
a  critical  crossroads  in  the  development  of  the  global 
economy— we  can  sit  back  and  let  it  grow  as  it  will. 

Or  we  can  seize  the  moment  and  build  economic 
systems  that  will  minimize  instability,  allow  second 
and  third  world  countries  to  thrive,  and  protect  and 
enhance  our  own  American  interests.  Globalization, 
says  Thurow,  can  be  shaped. 

►The  New  Normal 

Roger  McNamee,  Co-founder  and  General  Partner, 
Integral  Capital  Partners 

After  the  ‘90s  boom  and  subsequent  bust,  we’ve 
landed  in  what  veteran  technology  investor  Roger 
McNamee  calls  the  New  Normal.  Although  he 
believes  we  won’t  see  that  type  of  growth  in  the 
technology  sector  again  in  our  lifetime,  he  does 
believe  there’s  a  lot  to  gain  in  the  long  run.  The  bulk 
of  an  industry  is  historically  built  up  after  the 
euphoria  rages  and  the  bubble  bursts,  and  IT  is  no 
exception— and,  in  fact,  still  remains  the  principal 
weapon  in  helping  an  organization  create  a  competi¬ 
tive  edge.  What’s  different  in  the  New  Normal? 
Technology  is  completely  interwoven  into  the  social 
fabric;  getting  things  right  is  more  important  than 
getting  them  done  quickly;  the  focus  needs  to  be  on 
creating  real  economic  value;  and  leaders  need  to  be 
both  flexible  and  responsive. 


Law  &  Society 

►The  Future  of  Free  Software 
in  the  Corporate  Environment 

Jonathan  Zittrain,  Conference  Moderator  &  Faculty 
Co-Director,  Berkman  Center  for  Internet  &  Society, 
Harvard  Law  School 

The  case  of  SCO  v.  IBM  has  underscored  the  poten¬ 
tial  for  claims  of  unlawful  adoption  of  proprietary 
code  by  proprietary  software  owners  against 
producers  and  consumers  of  free  software.  This 
lawsuit— and  more  generally,  the  ready  way  in  which 
the  collaborative  model  of  free  software  develop¬ 
ment  can  become  vulnerable  to  credible  accusations 
of  copyright  infringement— could  reverse  the 
nascent  mainstream  corporate  embrace  of  free 
software.  In  this  session  we  explore  how  cautious 
CIOs  should  be  in  using  free  software  generally  and 
Linux  in  particular,  and  how  policymakers  might 
decide  the  extent  to  which  the  possibility  of  pirated 
code  should  slow  or  halt  free  software  development, 
how  it  compares  to  the  converse  poisoning  of 
proprietary  code  by  free  software,  and  what,  if 
anything,  should  be  done  to  draw  a  proper  bound¬ 
ary— a  demilitarized  zone— between  these  heavily 
competing  models  of  code  creation. 

►The  Law  &  The  CIO 

Bruce  P.  Keller,  Partner,  Debevoise  &  Plimpton 

Recent  court  decisions  have  increased  both  the  cost 
and  risk  to  companies  that  have  not  implemented 
document  retention  policies  anticipating  electronic 
discovery  issues.  Although  the  obligation  to  retain 
and  produce  digitally  stored  information  (e-mails, 
drafts,  slide  presentations,  web  pages  and  other 
data)  dates  back  decades,  many  companies  still 
have  not  thought  through  how  the  unique  issues 
associated  with  electronic  document  production 
affect  them.  This  session  explains  (1)  the  basic  rules 
governing  discovery  in  commercial  litigation,  (2)  the 
qualitative  and  quantitative  differences  between 
paper  and  electronic  discovery  and  (3)  the  legal 
developments  that  are  changing  and  shaping  the 
policies  a  company  ought  to  have  in  place  to  manage 
risk  in  this  area. 


significant  impact  CIO  role 
12—24  month  timeframe 
share  approaches 


Future  of  IT 
People,  Jobs 
&  the  CIO 

►The  Future  of  IT 
Jobs  and  People 

Martha  Heller,  Director,  CIO  Best  Practice 
Exchange  &  CIO  Select;  H.  James  Dallas,  Vice 
President  &  CIO,  Georgia-Pacific  Corporation; 
David  Guzman,  Senior  Vice  President  &  CIO, 
Owens  &  Minor;  Mark  Polansky,  Managing 
Director,  IT  Practice,  Korn/Ferry  International; 
Kathleen  Starkoff,  CTO  &  Group  Vice  President, 
Limited  Brands,  Inc.;  Thomas  L.  Smith,  CIO  & 
Senior  Vice  President,  Waste  Management,  Inc. 

Overthe  next  several  years,  CIOs  will  increas¬ 
ingly  face  major  challenges  in  managing  and 
motivating  their  workers,  particularly  since  we 
will  have  four  generations  working  side  by  side- 
each  with  their  own  cultures,  value  systems, 
expectations,  and  attitudes.  Many  baby  boomers 
will  be  retiring,  creating  an  exodus  of  people  and 
skills  from  the  workforce.  GenX  and  GenY  have 
entirely  different  attitudes  toward  the  implied 
“work  contract”— and  there  aren’t  enough  of 
them  anyway  to  make  up  the  difference.  There's 
still  a  serious  lack  of  diversity  in  the  IT  ranks  — 
women  and  minorities  are  not  flocking  in  droves 
to  IT.  And  then  there’s  outsourcing  and  more 
drastically,  offshoring—  taking  away  IT  jobs 
permanently  and  creating  heated  debates  on 
public  and  corporate  policy.  How  do  you  manage 
all  that? 

►The  State  of  IT  Education 

Moderator:  Rick  W.  Swanborg,  Jr.,  President  & 
Founder,  ICEX;  Panelists:  Jeri  Dunn,  Senior 
Vice  President  &  CIO,  Tyson  Foods,  Inc.; 

Keri  E.  Pearlson,  PhD,  Research  Director, 

The  Research  Board 

Concerns  about  the  education  and  training  of 
the  next  generation  of  IT  professionals  is  growing 
as  colleges  and  universities  cut  IT  courses,  baby 
boomers  start  retiring,  and  fewer  students 
choose  technology  studies.  How  can  you 


influence  the  academic  environment  to  graduate 
more  students  with  greater  skills  that  are 
relevant  for  the  IT  profession?  What  are  some 
practices  for  building  a  winning  relationship 
between  an  academic  institution  and  IT  organi¬ 
zation?  How  do  you  enhance  new  graduates' 
skills  with  mentoring,  project  assignment,  and 
training  programs? 

►The  Future  of  IT 
&  the  CIO 

Moderator:  Abbie  Lundberg,  Editor  in  Chief, 

CIO  Magazine;  Panelists:  Michael  Clifford,  CIO, 
Whole  Foods  Market;  Jerry  Gregoire,  Industry 
Observer,  Thornton  May,  Industry  Observer; 
Mark  Polansky,  Managing  Director,  IT  Practice, 
Korn/Ferry  International;  Sheleen  Quish,  Global 
CIO  &  Vice  President,  Corporate  Marketing, 
United  States  Can  Company 

This  panel  debates  the  collective  impact  on  the 
IT  function  and  the  CIO  role  of  some  major 
forces  at  work  in  the  business  world  today: 
trends  in  the  global  and  domestic  economy,  the 
labor  market  and  sourcing,  the  future  of  IT  jobs 
&  education,  new  legal  pressures,  trends  in 
technology,  and  more.  What  new  technology, 
governance  and  organizational  models  will 
emerge?  What  will  be  core  and  what  commod¬ 
ity?  Where  will  companies  find  their  strategic 
advantage?  How  can  CIOs  best  influence  these 
trends  to  the  benefit  of  their  own  organizations— 
and  their  own  careers? 

Technology 

►Technology  Futures: 

Bits  &  Atoms 

Neil  Gershenfeld,  Professor  &  Director  of  the 
Center  for  Bits  and  Atoms,  MIT  Media  Lab 

The  biggest  thing  coming  in  information  tech¬ 
nologies  will  be  literally  outside  of  the  box,  as  the 
programmability  of  the  digital  world  is  brought 
to  the  rest  of  the  world.  Gershenfeld  looks 
beyond  the  end  of  the  digital  revolution  at 
emerging  means  for  manipulating  information, 
both  virtual  and  physical.  He  starts  with  "fungi¬ 
ble"  computing  materials  that  promise  to  let 


server  capacity  be  added  by  the  pound  or  square 
foot,  then  show  why  digital  logic  itself  unneces¬ 
sarily  limits  the  power  of  information  processing 
devices  and  discuss  alternatives  that  take  better 
advantage  of  what  nature  can  do,  and  close  with 
the  remarkable  consequences  of  personalizing 
fabrication  rather  than  computation  for  industry, 
consumers,  and  the  rest  of  the  planet. 

►Technology  Futures: 
What’s  Getting  Funded 
Now— and  Why? 

Moderator:  Chris  Lindquist,  Technology  Editor, 
CIO  Magazine;  Panelists:  Paul  Barth,  Co¬ 
managing  Partner,  NewVantage  Partners  LLC; 
Todd  Dagres,  General  Partner,  Battery  Ventures; 
Erik  Lassila,  Managing  Director,  Clearstone 
Venture  Partners;  Nick  Sturiale,  Partner,  Sevin 
Rosen  Funds 

Our  group  of  venture  capitalists  shares  their 
thoughts  on  which  technologies  are  getting 
funded  now— and  which  aren’t.  What  are  they 
seeing  that  they  feel  has  the  most  promise?  Are 
CIOs  really  risk  averse  when  it  comes  to  newer 
technologies  and  start-ups  now— and  how  do 
CIO  concerns  about  vendor  viability  impact  what 
VCsare  wilingto  invest  in? 

►CIO  Roundtable 
Reporting  Panel: 
Technology  Futures 

Moderator:  Chris  Lindquist,  Technology  Editor, 
CIO  Magazine;  Panelists:  Christopher  Feloa, 

Vice  President,  Technology,  Belo  Interactive; 
Asiff  Hirji,  Executive  Vice  President  &  CIO, 
Ameritrade  Holdings 

Our  CIO  panelists  share  their  thoughts  on  this 
morning's  sessions  and  the  questions  posed  for 
the  discussion  roundtables.  What  do  we  see  as 
the  key  technologies  we  really  need— and  why? 
What  are  the  implications  of  SCO  v.  IBM? 

What  are  some  of  the  major  initiatives  the  tech 
industry  could  do  to  simplify  the  introduction  of 
new  technology?  What  other  profound  changes 
can  we  expect  to  see  in  our  lives  from  new 
technologies? 


Sponsored  by 

o 

COMPUWARE.  inU. 


KEANE 


Satyam 


What  Business  Demands 


EHtAVVIS 


Presented  by 


CIO] 


The  Resource  for 
Information  Executives 


Sales  and  Services 

CIO  SALES  OFFICES 

President  Walter  Manninen 
Publisher  Gary  J.  Beach  •  508  935-4202 

Executive  VP  Sales/Custom  Publishing 

Ellen  Romanow  •  508  935-4796 

East  Coast 

Senior  Vice  President,  Sales  and  Integrated 
Solutions/East 

Joan  Kelly -508  935-4586 

Senior  Regional  Mgr. 

Kathy  Powers  •  201 634-2331 
Regional  Sales  Manager 
Ellie  Schwab -201 634-2332 
Account  Executive 
Joan  Bonadeo  •  201 634-2328 
Advertising  Sales  Associates 
Rhonda  Goodman  •  201 634-2329 
Sharon  Patrick  •  201634-2333 
Fax  •  201 634-9513 

New  England 

Senior  Vice  President,  Sales  and  Integrated 
Solutions/East 

Joan  Kelly -508  935-4586 

Senior  Advertising  Sales  Associate 

Dawn  Cora  •  508  935-4092 
Fax  •  508  879-6063 


South  Central 

Regional  Director/Advertising  Sales 

Robert  E.  Sawdon  •  512  306-9801 

Senior  Advertising  Sales  Associate 

Brenda  Garza  *  512  306-9801 
Fax  •  512  306-9805 

North  Central 

District  Sales  Manager 

Beth  DeVillez  *  847  441-3140 
Advertising  Sales  Associate 
Kim  Giovanni  •  847  441-5005 
Fax  •  847  441-5150 

West  Coast 

VP  Sales/West 

Cheri  Parr  •  415  975-2685 

Senior  Regional  Manager/Advertising  Sales 

Jane  Evans  •  415  975-2680 

Senior  Regional  Manager/ Advertising  Sales 

Ai  Collins  *415  975-2686 

Account  Executive 

Derek  Jung  •  415  975-2683 

Fax  •  415  543-2358 

Southern  California 

Account  Executive 

Issac  Ugay  •  949  475-5579 
Fax  •  949  475-5583 


LIST  SERVICES 

List  Services  Director 

Kathryn  A.W.  Marston  •  508  935-4072 
List  Services  Account  Executive 
Stephanie  Roy  •  508  935-4151 

ONLINE  SERVICES 

VP/Online  Sales 

Lisa  Brown  •  508  935-4470 
Online  Sales  Manager 
Michael  McPhee  ■  508  935-4611 

CUSTOM  PUBLISHING 

Group  Director  •  Michael  Siggins 
Director  •  Mary  Gregory 
Director  of  Content  Development  *  Tom  Field 
Project  Managers  •  John  Danielowich, 

Amy  Greenieaf 

Graphic  Designer  •  Christopher  Brown 

REPRINT  SERVICES 

For  article  reprints  (500  quantity  or  more), 
please  contact  Chad  Johnston  at 
RSiCopyright  (651 582-3800)  or  via  e-mail 
at  cioreprints@rsicopyright.com. 

CIO  IS  PUBLISHED  IN  THE 
UNITED  STATES  AS  WELL  AS  IN: 

Australia,  CIO  Australia  www.idg.com.au 
Canada,  CIO  Canada  www.lti.on.ca/cio 
China,  CEO  &  CIO  China  www.ceocio.com.cn 


Index  of  Companies  and  Advertisers 

Page  numbers  refer  to  the  first  page  of  the  article(s)  in 
which  the  company  has  a  substantial  mention.  This 
index  is  provided  as  a  service  to  readers.  The  publisher 
does  not  assume  any  liability  for  errors  or  omissions. 


COMPANY  INDEX 

Agilent  Technologies  Inc.  . . .  146 

Alliant  Energy  Corp . 105 

Amazon.com  Inc . 36 

AT&T  Corp . 146 

Aventail  Corp . 146 

Capital  Printing  Systems  Inc.  36 
Cashman  Equipment  Co.  ...  66 
Cognizant  Technology  Solutions 

Corp . 146 

Counterpane  Internet  Security 

Inc . 79 

Covenant  Health  . 79 

Deloitte  Consulting  . 146 

Denver  Health  Hospital 

Authority . 105 

DFS  Group  Ltd . 146 

eBay  Inc . 79 

EMC  Corp . 36, 105 

Escalate  Inc . 66 

Evaluator  Group  Inc . 105 

Everest  Group  . 146 

FactPoint  Group . 36 

Fiberlink  Communications 

Corp . 146 

Forrester  Research  Inc . 36 

Forsythe  Technology  Inc.  36, 115 

Gartner  Inc . 36,  94, 115 

GlassHouse  Technologies 

Inc . 105 

Global  Insight  Inc . 66 

Gric  Communications  Inc.  . .  146 

Hewlett-Packard  Co . 146 

Highland  Partners . 66 

Hon  Industries  Inc . 66 

158  CIO 


IBM  Corp . 94, 115 

International  Data  Corp.  ...  146 
Internet  Security  Systems 

Inc . 36 

iPass  Inc . 146 

Janco  Associates  Inc . 66 

LeftHand  Networks  Inc . 105 

Lehman  Brothers  Holdings 

Inc . 94 

Lockton  Cos.  Inc . 66 

McDonald's  Corp . 146 

McKesson  Corp . 36 

Meta  Group  Inc.  66,  94, 105, 146 

Microsoft  Corp . 36 

Miller-Williams  Inc . 122 

Motorists  Insurance  Group, 

The  . 79 

NerveWire  Inc . 94 

Netegrity  Inc . 94 

Novell  Inc . 94 

Nucor  Corp . 94 

Oblix  Inc . 94 

Omnipod  Inc . 36 

Oracle  Corp . 146 

Paccar  Inc . 105 

Pivotal  Corp . 36 

Pratt  &  Whitney . 66 

PricewaterhouseCoopers 

. 66,  79,  94 

Schneider  National  Inc . 36 

Siebel  Systems  Inc . 36 

Sikorsky  Aircraft  Corp . 66 

SPX  Corp . 94 

Starbucks  Corp . 146 


SunGard  Availability  Services  36 


Symantec  Corp . 36 

Target  Corp.  . . 36 

TManage  Inc . 146 

TopCoder  Inc . 36 

Toys  “R"  Us  Inc . 36 

U.S.  Can  Corp . 66 

Wendover  Corp . 66 

Williams-Sonoma  Inc . 66 

Xerox  Corp . 146 

Yankee  Group . . . 105 

Yellow  Technologies  Inc.  . . .  105 

ADVERTISER  INDEX 

Actuate  Corp . 23 

American  Power  Conversion  .  .  97 

AMS  . 32,33 

Avaya . 117 

BearingPoint  Inc . 63 

Berbee  Information  Networks 

Corp . 61 

BlackBerry . 101 

BT  . 133 

Business  Objects  Inc . 147 

CIBER  Inc.  . . 64a 

Cisco  Systems  Inc . .  58 

Citrix  Systems  Inc . 73 

Cognos  .  34 

Computer  Associates 

inti.  Inc . C4,  5 

CXO  Media  Inc.  .  18,  64,  98,  102, 
.  .  .  104,  123,  129,  155,  156,  159 

Data  Return . 75 

Dell  !nc .  42, 120,  121 

Diversified  Software . 131 

EMC  Corp . 114 

Enterasys  Networks . 41 

Gateway  . C3 

Hewlett-Packard  Co. 


.  81,  83,  123  (regional) 

IBM  Corp.  .  .  .  C2, 19,  21,  99, 103, 
. 112, 139, 141, 153 


Informatica  Corp . 135 

Intel  Corp . 50 

Johnson  Controls  ..........  110 

Keane  Inc . .  78 

Kyocera  Mita  Corp . 89 

Legato  Systems  Inc.  .......  149 

Microsoft  Corp.  ...  69,  127, 128a 

NEC  Solutions  Inc . 26 

NetlQ  Corp . 143 

Network  Associates  Inc.  ......  2 

Nextel  Communications  Inc.  . .  17 

NextiraOne  . 9 

Nokia . .  91 

Novell  . 77 

OKI  . 57 

Opsware  Inc . 151 

Oracle  Corp . 119 

Panduit  Corp . .  45 

Peerstone  Research  . 20 

PeopieSoft  Inc . 39 

Primavera  Systems  Inc . 85 

Quantum  DLTtape . 24,  25 

Resources  Connection . 29 

Samsung  . 49 

SAP . 10 

SAS . 47 

Savin  Corp . 107 

Sharp  Electronics  Corp.  .  .  30,  31 

SkyTel  Corp . 53 

Sony  Electronics  . 125 

Sprint . 7,  71 

SSH . 109 

Sterling  Commerce . 37 

TIBCO  Software  Corp . 145 

Unisys  Corp . 14 

VeriSign  Inc . 137 

Veritas . 55 

Xerox  Corp . 13 


OCTOBER  15,  2003  •  www.cio.com 


France,  CIO  France  www.idg.fr/cio 
Germany,  CIO  Germany  www.cio.de 
India,  CIO  India  91-80-521-0309/12 
Japan,  CIO  Japan  www.idg.co.jp 
New  Zealand,  CIO  New  Zealand  www.idg.co.nz 
Norway,  CIO  Business  Standard 
www.business-standard.no 
Poland,  CXO  Poland  www.cxo.pi 
Singapore,  CIO  ACEN/Hong-Kong 
www.idg.com.sg 

South  Korea,  CIO  Korea  www.cio.seoul.kr 
Sweden,  CIO  Sweden  www.cio.idg.se 

For  further  sales  information,  visit 

www.cio.com/marketing/salesoffices.html. 


CIO  Contact 
Information 

Editorial,  Advertising  and  Business 
Offices:  492  Old  Connecticut  Path, 
P.O.  Box  9208,  Framingham,  MA 
01701-9208,  508  872-0080. 

CIO  (ISSN  0894-9301)  is  published 
semimonthly  and  as  a  combined  issue 
December  15/January  1  by  CXO  Media 
Inc.,  492  Old  Connecticut  Path,  P.O. 
Box  9208,  Framingham,  MA  01701- 
9208.  Periodicals  postage  paid  at 
Framingham,  MA,  and  at  additional 
mailing  offices.  Canada  Publications 
Mail  Agreement  Number  1902075. 
CANADIAN  POSTMASTER:  Please 
return  undeliverable  copy  to  P.O.  Box 
1632,  Windsor,  ON  N9A  7C9. 

Permissions;  Copyright  2003  by 
CXO  Media  Inc.  All  rights  reserved. 
Reproduction  of  material  appearing 
in  CIO  is  forbidden  without  written 
permission.  Send  all  requests  to 
Permissions  Department,  CIO,  492 
Old  Connecticut  Path,  P.O.  Box  9208, 
Framingham,  MA  01701-9208. 

Photocopy  Rights:  Permission  to 
photocopy  for  internal  or  personal 
use  or  the  internal  or  personal  use  of 
specific  clients  is  granted  by  CIO  for 
users  through  the  Copyright  Clear¬ 
ance  Center,  provided  that  the  base 
fee  of  $3  per  copy  of  the  article,  plus 
$.50  per  page  is  paid  directly  to 
Copyright  Clearance  Center,  27 
Congress  Street,  Salem,  MA  01970. 
Please  specify:  ISSN  0894-9301. 
Permission  to  photocopy  does  not 
extend  to  contributed  articles 
followed  by  this  symbol;  $. 

Subscriptions;  Address  inquiries  to 
CIO,  P.O.  Box  489,  Northbrook,  IL 
60065-0489;  866  354-1125.  CIO  is 
free  to  qualified  information  execu¬ 
tives,  To  all  others  the  one-year  basic 
rate  is  $95  for  the  United  States  and 
Canada,  $195  to  foreign  countries 
(payable  in  U.S.  funds  only).  The 
single  copy  price  is  $9.  Please  allow 
four  to  six  weeks  for  new  subscrip¬ 
tions  to  begin. 

Change  of  Address:  Please  go  to 
www.omeda.com/custsrv/cio  and 
follow  the  online  instructions. 

Postmaster:  Send  change  of  address 
to  CIO.  P.O.  Box  489,  Northbrook,  IL 
60065-9816.  Printed  in  the  U.S.A. 


YOU  NEED  TO  GET  SMART  FAST 


Are  your  customers  demanding  access  to  more  data?  Can 
your  systems  deliver?  What  are  the  costs,  steps  and  tech¬ 
nologies  needed  to  create  an  integrated  enterprise?  What 
are  your  peers  doing  to  achieve  successful  integration? 

Turn  to  the  CIO  FOCUS™  on  I  T.  INTEGRATION:  MAKING 
CONNECTIONS  FOR  EFFICIENCY  AND  ADVANTAGE- 

actionable  information  created,  filtered  and  packaged  by  the 
award-winning  editors  of  CIO  magazine, 

CIO  FOCUS™  is  delivered  right  to  your  desktop  giving  you 
immediate  access  to  the  information  you  need.  And  for  your 
future  reference  needs,  the  electronic  file  is  followed  by  a 
packaged  version,  shipped  within  72  hours.  Available  now  at 
an  introductory  price. 

CIO  FOCUS™ 

STRATEGIC  GUIDES  FOR  EXECUTIVE  DECISION  MAKING 


CIO  FOCUS™ 

The  ERP  Life  Cycle:  Planning, 
Execution  and  Post-Implementation 

The  Elite  CIO:  Going  Beyond 
the  Basics 

Knowledge  Management:  Harnessing 
the  Power  of  Intellectual  Assets 

The  Balanced  Scorecard 

Fundamentals  of  the  CIO  Role 


The  Resource 
for  Information 
Executives 


FOR  EXECUTIVE  DECISION-SUPPORT  TOOLS,  VISIT  THE  CIO  STORE-THE  CIO'S  KNOWLEDGE  MARKETPLACE. 

www.TheCIOStore.com 


EXECUTIVE 


October  15,  2003 


COVER  STORY 

The  Incredible  Shrinking  CIO 

By  Stephanie  Overby  I  66 

The  year  2003  may  be  when  we  wit¬ 
ness  a  decline  in  the  clout,  qualifica¬ 
tions  and  fortunes  of  the  CIO  role. 
The  evidence?  The  percentage  of  CIOs 
reporting  to  CFOs  doubled  this  year  from 
last  year.  Business  units  increasingly  are  mak¬ 
ing  IT  decisions  independently  of  the  CIO. 
And  executive  recruiters  say  some  companies 
are  now  hiring  less-experienced,  junior-level 
people  to  fill  IT  leader  openings.  Even  though 
the  growing  trend  toward  outsourcing  has 
emboldened  some  CEOs  to  rein  in  what  they 
see  as  an  overinflated  executive  position,  com¬ 
panies  that  go  this  route  risk  loss  of  competi¬ 
tive  advantage,  chaotic  IT  spending  and 
loss  of  vendor  management.  To  combat  this 
trend,  CIOs  must  regain  their  business  credi¬ 
bility  by  running  the  IS  department  as  if  it 
were  a  business  and  they  were  its  CEO.  CIOs 
should  surround  themselves  with  people  with 
business  backgrounds  and  cultivate  relation¬ 
ships  with  the  business  leaders,  no  matter 
whom  they  report  to.  If  they  aren’t  asked  to 
serve  on  the  executive  committee,  they  should 
invite  themselves  to  sit  in  on  the  meetings. 


“Companies  are  stepping 
back  and  saying  the  job 
isn’t  that  big.  We’re  making 
less  investment  in  IT.  We 
have  a  smaller  headcount. 
We’re  done  with  ERP. 
We’re  sending  it  all  offshore. 
We  don’t  need  the  caliber 
of  CIO  we  may  have  had  in 
the  past.” 

-PHIL  SCHNEIDERMEYER,  CIO  PRACTICE 
LEADER  FOR  EXECUTIVE  RECRUITING 
COMPANY  HIGHLAND  PARTNERS 


The  State  of  Information  Security  2003  By  Scott  Berinato  I  79 

THE  RESULTS  OF  OUR  INTERNATIONAL  SURVEY  on  information  security  showed 
that  as  much  as  the  toddling  discipline  has  grown  since  its  baptism  in  September  2001,  it  hasn’t 
improved  much.  Data  from  more  than  7,500  respondents  showed  increased  spending,  but  with  little 
effect  mitigating  security  breaches.  The  increased  deployment  of  technology  hasn’t  helped  because  it 
hasn’t  been  matched  by  a  similar  deployment  of  training,  education  and  awareness.  Companies  must 
target  spending  on  awareness,  education  and  risk  management  training — instead  of  throwing  more 
technology  at  the  problem.  Also,  they  should  take  better  advantage  of  the  data  existing  technology 
generates  to  analyze  and  weigh  relative  risk.  The  survey  also  yielded  security  spending  per  capita 
benchmarks  within  industries  and  regions,  independent  of  company  size  (the  average  overall  spend 
was  $964  per  capita).  This  is  the  best  way  for  companies  to  gauge  whether  their  spending  is  on  par 
with  their  industries  and  locations. 

Identity  Crisis  ByBenWorthen  I  94 

INSTALLING  AN  IDENTITY  MANAGEMENT  SYSTEM  can  be  a  time-consuming  and 
hugely  complicated  process.  But  it  can  boast  impressive  returns  if  done  right.  Such  a  system  allows 
the  CIO  to  both  block  unauthorized  access  to  systems  and  monitor  systems  activity.  It  also  lets  the 
company  provide  new  employees  with  almost  immediate  access  to  the  applications  they  need — and 
take  away  access  from  former  employees  just  as  quickly.  And  since  authentication  (you  are  who  you 
claim  to  be)  and  authorization  (you’re  allowed  to  do  what  you’re  trying  to  do)  occur  at  one  location, 
employees  can  access  all  their  applications  with  a  single  user  name  and  password,  a  move  that  can 
dramatically  cut  down  help  desk  calls. 


Storage  Essentials  By  Todd  Datz  I  105 

STORAGE  WAS  ALREADY  A  HUGE  DRAIN  ON  THE  I.T.  BUDGET,  but  now  the  data 
storage  requirements  of  regulations  such  as  FIIPAA  are  adding  further  stresses.  The  solution  is  to 
manage  storage  like  a  resource,  with  a  strategy  in  place  and  dedicated  staff.  As  part  of  their  strategy, 
Case  Western  Reserve  University,  Yellow  Corp.  and  Paccar  are  investing  in  storage  resource  manage¬ 
ment  tools — one  of  the  best  ways  to  look  at  capacity,  who’s  consuming  it  and  who  last  accessed  it. 
Another  approach  is  to  segment  data  into  two  or  three  discrete  tiers  based  on  typical  usage,  to  be 
archived  in  appropriate  storage  systems.  Storage  decisions  should  take  into  account  company-favored 
metrics,  whether  total  cost  of  ownership,  ROI  or  something  else. 


Case  Files:  Project  Triage  By  Late  Low  I  115 

RAPID  EXPANSION  AT  THE  VISITING  NURSE  SERVICE  (VNS)  of  New  York  opened  a 
floodgate  of  projects  that  vied  for  funding.  To  measure  the  relative  value  of  each,  VNS  developed  its 
own  valuation  methodology.  Each  IT  project  proposal  goes  through  three  stages.  First,  the  project 
sponsor  completes  a  project  request  form  and  submits  it  to  IS.  Next,  the  sponsor  works  with  IS  staff 
and  members  of  a  steering  committee,  which  includes  representatives  from  IS,  business  development, 
finance  and  operations,  to  refine  the  project  request’s  benefits,  costs  and  risk  analysis.  Projects  are 
scored  for  financial  and  nonfinancial  impact  as  well  as  risk.  Proposals  with  high  risk  are  not  approved 
until  the  risk  is  mitigated.  Then  the  VNS  steering  committee  and  the  CEO  recommend  projects  to  the 
board  of  directors — based  on  aggregate  scoring — for  approval  and  funding.  Once  the  board  authorizes 
a  project,  IS  works  with  the  project  sponsors  to  develop  a  project  charter — a  road  map  to  develop¬ 
ment  and  implementation. 


ffvrMAsJOLOGY 


The  Gateway®  200  Series  Notebook  is  as  mobile  as  you  want  to  be,  with  all  the  power  and 
integrated  wireless  capabilities  you  need  in  a  less  than  1"  thin  design.  The  Hand  that  integrates 
it  with  your  whole  office,  to  provide  seamless  access  whether  you’re  in  the  office  or  on  the  road. 
The  combination  of  accessible  technology  and  humans  who  are  too.  That’s  Humanology. 


Gateway: 

Professional 


centrino 


MOBILE 
TECHNOLOGY 


For  more  about  what  Humanology  can  do  for  you  and  the  Gateway®  200  notebook  featuring  Intel'  Centrino"’ 
mobile  technology,  call  888-888-0438.  www.gateway.com/work 


Gateway  recommends  Microsoft®  Windows®  XP  Professional  for  Business. 

Copyright  ©2003  Gateway,  Inc.  All  rights  reserved.  Gateway,  the  Spotted  G  logo  and  the  Black  and  White  Spot  Design  are  trademarks  or  registered  trademarks  of 
Gateway,  Inc.  in  the  U.S.  and  other  countries.  Intel,  Intel  Centrino,  Intel  Inside,  the  Intel  Centrino  logo  and  the  Intel  Inside  logo  are  trademarks  or  registered  trademarks 
of  Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries.  Microsoft  and  Windows  are  registered  trademarks  of  Microsoft  Corporation. 
Ad  Code:  11 3381 


The  right  management  can  put  you  in  control  of  your  infrastructure, 
not  the  other  way  around. 


Unicenter  Infrastructure  Management  Software 


So  long,  mayhem.  Management  is  here.  Unicenter  infrastructure  management  software  gives  you  unparalleled 
control  of  your  IT  environment.  It  lets  your  infrastructure  react  to  changes  in  real  time,  so  your  IT  and  business 
priorities  are  always  in  sync.  Its  self-healing  capabilities  help  you  do  more  with  less  and  control  costs.  To  learn 
how  the  right  management  can  help  you  realize  on-demand  computing  with  your  existing  infrastructure,  or  to  get 
a  white  paper,  go  to  ca.com/infrastructure. 


Computer  Associates® 


©  2003  Computer  Associates  International,  Inc.  (CA).  All  rights  reserved. 


